b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n                Information Technology \n\n            Management Letter for the FY 2009 \n\n                  DHS Integrated Audit \n\n\n                                           (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Federal of Information Act will be conducted upon request.\n\n\n\n\nOIG-10-110                                                                                    August 2010\n\x0c                                                            Office ofInspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                                            Homeland\n                                                            Security\n\n                                           AUG 172010\n                                             Preface\n\nThe Department of Romeland Security (DRS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2009 DRS\nfinancial statement audit as of September 30, 2009. It contains observations and\nrecommendations related to information technology internal control that were summarized\nwithin the Independent Auditors\' Report, dated November 13, 2009 and represents the separate\nrestricted distribution report mentioned in that report. The independent accounting firm KPMG\nLLP (KPMG) performed the audit of the DRS\' FY 2009 financial statements and prepared this\nIT management letter. KPMG is responsible for the attached IT management letter dated\nDecember 9,2009; and the conclusions expressed in it. We do not express opinions on DRS\'\nfinancial statements or internal control or provide conclusion on compliance with laws and\nregulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                          4r.1ttl/\n                                             Assistant Inspector General\n                                             Information Technology Audits\n\x0c                                   KPMG LLP\n                                   2001 M Street, NW\n                                   Washington, DC 20036\n\n\n\nDecember 9, 2009\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Department of Homeland Security\n\nChief Financial Officer\nU.S. Department of Homeland Security\n\n\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2009, and the related statements of custodial activity for the years then\nended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the Department\xe2\x80\x99s\ninternal control over financial reporting (ICOFR) of the balance sheet as of September 30, 2009, and\nstatement of custodial activity for the year then ended. We were not engaged to audit the statements of\nnet cost, changes in net position, and budgetary resources, for the year ended September 30, 2009\n(referred to herein as \xe2\x80\x9cother fiscal year [FY] 2009 financial statements\xe2\x80\x9d), or to examine internal control\nover financial reporting over the other FY 2009 financial statements. Because of matters discussed in\nour Independent Auditors\xe2\x80\x99 Report, dated November 13, 2009, the scope of our work was not sufficient to\nenable us to express, and we did not express, an opinion on the financial statements. In addition, we\nwere unable to perform procedures necessary to form an opinion on DHS\xe2\x80\x99 ICOFR of the FY 2009\nbalance sheet and statement of custodial activity.\n\nIn connection with our FY 2009 engagement, we examined DHS\xe2\x80\x99 internal control over financial\nreporting by obtaining an understanding of DHS\xe2\x80\x99 internal control, determining whether internal controls\nhad been placed in operation, assessing control risk, and performing tests of controls. As noted above,\nthe scope of our work was not sufficient to enable us to express, and we did not express, an opinion on\nthe effectiveness of ICOFR. Further, other matters involving ICOFR may have been identified and\nreported had we been able to perform all procedures necessary to express an opinion on the DHS\nbalance sheet as of September 30, 2009, and the related statement of custodial activity for the year then\nended, and had we been engaged to audit the other FY 2009 financial statements.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control over financial reporting that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control over financial reporting, such that there\nis a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be\nprevented, or detected and corrected on a timely basis.\n\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, and system security with respect to DHS\xe2\x80\x99 financial systems Information Technology (IT)\ngeneral controls which we believe contribute to a DHS-level significant deficiency that is considered a\nmaterial weakness in IT controls and financial system functionality. These matters are described in the IT\nGeneral Control and Financial System Functionality Findings by Audit Area section of this letter.\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 13, 2009. This letter represents the separate restricted distribution report mentioned in that\nreport.\nAlthough not considered to be a material weakness, we also noted certain other items during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control and Financial System Functionality Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand are intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key DHS\xe2\x80\x99 financial systems and IT infrastructure within the scope of the FY\n2009 DHS financial statement audit engagement in Appendix A; a description of each IT finding and\nrecommendation in Appendix B; the current status of the prior year NFRs in Appendix C, and\nmanagements comment in Appendix D. Our comments related to financial management and reporting\ninternal controls have been presented in a separate letter to the Office of Inspector General and the DHS\nChief Financial Officer dated December 9, 2009.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, U.S. Office of Management and Budget, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n\n                  INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                        TABLE OF CONTENTS \n\n                                                                                                Page\nObjective, Scope and Approach                                                                     1\n\n\nSummary of Findings and Recommendations                                                          2\n\n\nIT General and Application Control Findings by Audit Area                                        4\n\n\n       Access Controls                                                                           4\n\n\n       Configuration Management                                                                  5\n\n\n       Security Management                                                                       6\n\n\n       Service Continuity                                                                        7\n\n\n       Segregation of Duties                                                                     8\n\n\nApplication Controls                                                                             8\n\n\nFinancial System Functionality                                                                   8\n\n\nOther Findings in IT General Controls                                                            8\n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                           12 \n\n\n                                             APPENDICES\n\n\n    Appendix                                          Subject                                   Page\n\n                       Description of Key DHS Financial Systems and IT Infrastructure within\n\n        A                                                                                        13\n                       the Scope of the FY 2009 DHS Financial Statement Audit Engagement\n\n\n        B              FY 2009 Notice of IT Findings and Recommendations at DHS                  23 \n\n\n                       Status of Prior Year Notices of Findings and Recommendations and\n\n        C              Comparison to Current Year Notices of Findings and Recommendations       125 \n\n                       at DHS\n\n\n        D              Management\xe2\x80\x99s Comment                                                     131 \n\n\n\n        E              Report Distribution                                                      133 \n\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n                        OBJECTIVE, SCOPE AND APPROACH\n\nDuring our engagement to perform an integrated audit of Department of Homeland Security (DHS), we\nevaluated the effectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit\nas it relates to IT general controls assessments at DHS. The scope of the DHS IT general controls\nassessment is described in Appendix A.\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\nstatement audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following six control functions to be essential to the effective\noperation of the general IT controls environment.\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of\n   computer-related security controls.\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data, programs,\n   equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\nTo complement our IT general controls audit, we also performed technical security testing for key network\nand system devices. The technical security testing was performed from within select DHS facilities and\nfocused on test, development, and production devices that directly support DHS\xe2\x80\x99 financial processing and\nkey general support systems.\nIn addition to testing DHS\xe2\x80\x99 general controls environment, we performed application controls tests on a\nlimited number of DHS financial systems and applications. The application control testing was performed\nto assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input, processing, and\noutput of financial data and transactions.\n\xe2\x80\xa2\t Application Controls - Application controls are the structure, policies, and procedures that apply to\n   separate, individual application systems, such as accounts payable, inventory, payroll, grants, or loans.\nDuring FY 2009, we also considered the effects of financial system functionality while testing IT general\nand application controls and other internal controls over financial reporting. Many of the financial systems\nin use at DHS components were inherited from the legacy agencies and have not been substantially updated\nsince the Department\xe2\x80\x99s inception. Additionally, DHS has had limited Department-wide financial system\ndevelopment or improvement activities. Consequently, ongoing financial system functionality limitations\n\n\n\n                                                    1\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2009\n\nare contributing to the Department\xe2\x80\x99s challenges of addressing systemic internal control weaknesses and\nstrengthening the over-all control environment.\n\n\n            SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring FY 2009, DHS components took steps to improve their financial system security and address prior\nyear IT control weaknesses, which resulted in the closure of more than 60% of our prior year IT control\nfindings. However, new IT findings were identified during the year. The two primary reasons for the new\nfindings included:\n\xe2\x80\xa2\t New applications were included within the scope of the FY 2009 IT Audit and\n\xe2\x80\xa2\t The lack of operating effectiveness of key IT general controls\nAs a result, we identified over one hundred (100) new IT general control deficiencies, which was over a\n100% increase from last year. The most significant weaknesses from a financial statement audit perspective\ninclude: 1) excessive unauthorized access to key DHS financial applications; 2) configuration management\ncontrols that are not fully defined, followed, or effective; and 3) security management deficiencies in the\narea of background investigations, the certification and accreditation process and system acquisition and\ndevelopment impacting DHS\xe2\x80\x99 ability to ensure that DHS financial data is available when needed.\nCollectively, the IT control deficiencies limited DHS\xe2\x80\x99 ability to ensure that critical financial and operational\ndata were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition,\nthese deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99 financial reporting and its operation\nand we consider them to collectively represent a material weakness for DHS under standards established by\nthe American Institute of Certified Public Accountants (AICPA). The IT findings were combined into one\nmaterial weakness regarding IT Controls and Financial Systems Functionality for the FY 2009 audit of the\nDHS consolidated financial statements.\nConditions: Our findings related to IT controls and financial systems functionality follow:\nRelated to IT controls:\nThe IT general control areas that continue to present risks to DHS financial data confidentiality, integrity,\nand availability include:\n    \xe2\x80\xa2\t Access controls \xe2\x80\x93 Key DHS financial systems and applications have access control weaknesses,\n       including: weaknesses in security documentation and approvals; lack of recertification for user\n       accounts on an annual basis; inconsistent disabling of user account accesses upon termination;\n       inadequate or weak system passwords; workstations, servers, or network devices without necessary\n       software patches; lack of sufficient workstation inactivity time-outs; out of date anti-virus software;\n       and insufficient audit logging. In addition we identified the following instances where DHS policy\n       was not adhered to:\n        -   While performing after-hours physical access testing, we identified the following unsecured\n            items: Government credit cards; financial system user IDs and passwords; computer laptops;\n            and issued badges.\n        -   While performing social engineering testing, we identified instances where DHS employees\n            provided their system user names and passwords to an auditor posing as a help desk employee.\n    \xe2\x80\xa2\t Configuration management \xe2\x80\x93 We identified configuration management processes that are not fully\n       defined, followed, or effective, including:\n\n\n                                                     2\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n        -   Instances where changes made to financial systems were not always properly approved, tested,\n            or documented in accordance with the required System Change Request (SCR) process; and\n        -   Instances where policies and procedures regarding change controls were not in place to prevent\n            users from having concurrent access to financial system development, test, and production\n            environments, or for restricting access to application system software and system support files.\n    \xe2\x80\xa2\t Security management \xe2\x80\x93 We identified security management practices that do not fully and\n       effectively ensure that financial systems are certified, accredited, and authorized for operation prior\n       to implementation; and that all operational financial systems are accounted for in DHS\xe2\x80\x99 system\n       inventory and monitored for compliance with security requirements in DHS\xe2\x80\x99 Trusted Agent FISMA\n       system. Not following DHS standards in the area of background investigations and security and\n       technical requirements for financial systems have not been considered and planned for in an\n       integrated fashion during systems development and acquisition initiatives.\nRelated to financial system functionality:\nWe noted that financial system functionality limitations are contributing to control deficiencies which are\ninhibiting progress on corrective actions at several DHS components. Systemic conditions related to\nfinancial system functionality include:\n    \xe2\x80\xa2\t Segregation of key accounting functions needs to be manually maintained;\n    \xe2\x80\xa2\t Financial system audit logs are not readily generated and reviewed;\n    \xe2\x80\xa2\t DHS-required system passwords are not being followed due to financial systems that cannot support\n       the policy;\n    \xe2\x80\xa2\t Financial systems do not provide flexible, user-friendly functionality; and\n    \xe2\x80\xa2\t Production versions of operational financial systems are outdated, no longer supported by the\n       vendor, and do not provide the necessary core functional capabilities (e.g., general ledger\n       capabilities).\nWhile the recommendations made by us should be considered by DHS, it is the ultimate responsibility of\nDHS management to determine the most appropriate method(s) for addressing the weaknesses identified\nbased on their system capabilities and available resources.\nThe individual weaknesses and findings that compose this deficiency are detailed in the following section.\n\n\n\n\n                                                    3\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\nIT GENERAL AND APPLICATION CONTROL FINDINGS BY AUDIT AREA\n Conditions: In FY 2009, the following IT and financial system functionality deficiencies were identified at\n DHS. Forty percent of the deficiencies identified during our FY 2009 engagement were repeat issues\n identified during FY 2008. In addition, over 100 new IT deficiencies were identified this fiscal year, which\n is a 100% increase over the previous year. The following IT and financial system functionality deficiencies\n result in IT being reported as contributing to a material weakness for financial system security as part of the\n FY2009 DHS Integrated Audit.\n 1. Access Controls - At the following DHS components: United States Coast Guard (USCG), Customs and\n Border Protection (CBP), Federal Law Enforcement Training Center (FLETC), Federal Emergency\n Management Agency (FEMA), Immigration and Customs Enforcement (ICE), DHS Headquarters,\n Transportation Security Administration (TSA), and United States Citizenship and Immigration Services\n (USCIS) we noted:\n     \xe2\x80\xa2\t Initial and modified user access, roles, and privileges to financial applications, databases, and\n        networks, including remote access were not documented and/or appropriately authorized;\n     \xe2\x80\xa2\t Policies and procedures that require periodic recertifications of user accounts were not in place;\n     \xe2\x80\xa2\t Periodic recertifications of user access and privileges to financial application, database, network,\n        and/or remote user access were not formally performed in accordance with DHS policy;\n     \xe2\x80\xa2\t Financial application, database, network, and/or remote user accounts were not disabled or timely\n        removed in accordance with DHS policy;\n     \xe2\x80\xa2\t Passwords were not configured to meet DHS requirements;\n     \xe2\x80\xa2\t Comprehensive and/or adequate policies and procedure that provide formal guidance for\n        configuring and reviewing audit logs in accordance with DHS policy were lacking;\n     \xe2\x80\xa2\t Audit logs were not configured, reviewed, and/or monitored in accordance with existing\n        requirements;\n     \xe2\x80\xa2\t An approved DHS Waiver and Exceptions Request Form associated with a financial database audit\n        logging weaknesses was granted based on inconsistently or inaccurately described mitigating and\n        compensating security controls. In addition, the controls required as a condition of DHS approval\n        were not implemented;\n     \xe2\x80\xa2\t The use of generic or default user accounts was identified;\n     \xe2\x80\xa2\t Root access to financial systems is granted and not appropriately restricted and monitored;\n     \xe2\x80\xa2\t Physical access to sensitive facilities and resources was ineffective;\n     \xe2\x80\xa2\t Processes in place for sanitization of equipment and media were lacking;\n     \xe2\x80\xa2\t The process for authorizing and managing remote virtual private network (VPN) access to external\n        agencies and contractors did not comply with the component and DHS requirements. Specifically,\n        existing documentation did not define the requirements for administering VPN access for external\n        organizations or identifying component roles and responsibilities for managing VPN access granted\n        to external individuals using non-DHS equipment to access the network;\n     \xe2\x80\xa2\t Emergency and temporary access to financial applications and databases was not properly\n        authorized and/or granted;\n\n\n                                                      4\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n   \xe2\x80\xa2\t A formalized process did not exist to guide staff in the modification of sensitive system accounts to\n      ensure that appropriate privileges are created, documented, and approved for a specific security\n      function. Additionally, the use of function modification privileges was not monitored;\n   \xe2\x80\xa2\t End-user workstations were not properly configured to activate a password-protected screensaver\n      after five minutes of inactivity, as required by policy;\n   \xe2\x80\xa2\t Weaknesses in processes for recertifying data center access were present;\n   \xe2\x80\xa2\t Invalid login attempt settings did not comply with DHS requirements; and\n   \xe2\x80\xa2\t Accounts were not configured to be disabled after 45 days of inactivity within a full fiscal year, as\n      required by component and DHS policy.\n2.\t Configuration Management - At the following DHS components: USCG, CBP, FLETC, FEMA, ICE,\n    DHS Headquarters, TSA, and USCIS, we noted:\n   \xe2\x80\xa2\t Password, security patch management, and configuration weaknesses were identified during our\n      vulnerability assessments on hosts supporting the key financial applications and general support\n      systems;\n   \xe2\x80\xa2\t System Engineering Life Cycle (SELC) documentation was not finalized;\n   \xe2\x80\xa2\t The Standard Operating Procedure (SOP) for monitoring sensitive access to operating system\n      software was not implemented and did not include all operating system servers that are within\n      scope. Additionally, there was no application or tool in place to support the audit logging function\n      on the servers;\n   \xe2\x80\xa2\t Emergency and non-emergency changes to financial application system software were not \n\n      consistently documented, tested, approved, controlled, tracked, and retained on file; \n\n   \xe2\x80\xa2\t Contracted developers/programmers were granted unrestricted access to the production \n\n      environment; \n\n   \xe2\x80\xa2\t A finalized patch management policy for installing system patches was not implemented;\n   \xe2\x80\xa2\t Formal procedures were not implemented to require monitoring of developers\xe2\x80\x99 changes to a\n      system\xe2\x80\x99s directories and sub-directories to review and validate implemented changes and informal\n      reviews of developer activities were not routinely performed and documented;\n   \xe2\x80\xa2\t The configuration management plans did not comprehensively provide guidance to address all\n      configuration management control elements required by component and DHS policy;\n   \xe2\x80\xa2\t System changes were not appropriately approved and tracked prior to implementation into\n\n      production; \n\n   \xe2\x80\xa2\t Monitoring process of their service provider\xe2\x80\x99s configuration management process and activities was\n      not fully developed nor operating effectively;\n   \xe2\x80\xa2\t Procedures for approving, testing, and ensuring timely installation of operating system patches\n      were not developed and implemented;\n   \xe2\x80\xa2\t Formal procedures for conducting internal scans were not developed, remediation of vulnerabilities\n      identified during internal scans were not tracked and monitored, and select workstations were\n      excluded from the scope; and\n\n\n                                                   5\n      Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n   \xe2\x80\xa2\t DHS is in the process of becoming fully compliant with the Federal Desktop Core Configuration\n      (FDCC) security configurations. Each DHS component agency has begun testing or implementing\n      the FDCC security configurations; however, full compliance with FDCC security configurations for\n      all DHS components is not planned to be completed until the end of FY 2011.\n3.\t Security Management \xe2\x80\x93 At the following DHS components: USCG, CBP, FEMA, ICE, DHS\n    Headquarters, and TSA we noted:\n   \xe2\x80\xa2\t Procedures for transferred/terminated personnel exit processing are not finalized;\n   \xe2\x80\xa2\t Computer access agreements and exit clearance procedures have not been consistently\n\n      implemented; \n\n   \xe2\x80\xa2\t Policies and procedures requiring completion of a training program by personnel in IT security\n      positions were not finalized;\n   \xe2\x80\xa2\t IT Security training is not mandatory nor is compliance monitored;\n   \xe2\x80\xa2\t Background investigations as well as reinvestigations for all civilian and contractor employees have\n      not been completed per DHS guidance;\n   \xe2\x80\xa2\t Procedures for the program managers on how to set the correct and consistent risk levels and\n      position sensitivity designations for contract employees were not finalized;\n   \xe2\x80\xa2\t Four systems were not properly certified and accredited in accordance with DHS guidance;\n   \xe2\x80\xa2\t Information System Security Officers (ISSO) and Designated Authorizing Authorities (DAA) were\n      not formally designated;\n   \xe2\x80\xa2\t Vulnerabilities identified during periodic internal scans and related corrective actions were not\n      reported and tracked in accordance with DHS policy;\n   \xe2\x80\xa2\t Two systems were not included in the system inventory and neither system was being tracked via\n      the Trusted Agent Federal Information Security Management Act repository;\n   \xe2\x80\xa2\t The revised system security plan for one system did not fully document the systems boundaries,\n      define all subsystems and major applications, nor establish security responsibilities for all system\n      components;\n   \xe2\x80\xa2\t For the majority of FY 2009, a finalized and executed Memorandum of Understanding and an\n      Interconnection Sharing was not in place between a DHS component and the Department of the\n      Treasury;\n   \xe2\x80\xa2\t Information Security Agreements for all identified participating government agencies have not been\n      documented as required by the DHS component and DHS policies;\n   \xe2\x80\xa2\t Procedures for managing IT security incidents were not developed, approved, and implemented and\n      the audit\xe2\x80\x99s unannounced vulnerability assessment scanning activity was not detected and\n      appropriately reported by the DHS component, and in accordance with DHS and the DHS\n      component\xe2\x80\x99s incident response policy;\n   \xe2\x80\xa2\t Financial systems development and acquisition projects were undertaken and progressed without (1)\n      proper oversight of and direction to contractors, (2) development and approval of required project\n      documentation, (3) the continual involvement of the Office of the Chief Information Officer (OCIO)\n\n\n\n                                                   6\n      Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n        to ensure appropriate consideration and integration of IT security, and (4) the joint communication\n        and decision-making of the DHS component and DHS management;\n    \xe2\x80\xa2\t A process is lacking for tracking the status of contractors or an effective and formal process for\n       notifying the OCIO of changes in contractor status so that user accounts could be appropriately\n       disabled, removed, or modified in a timely manner;\n    \xe2\x80\xa2\t Data from all component organizations to ensure a complete and accurate listing of all contractors\n       was not properly captured. Additionally, through inspection of data on current contractors, it was\n       noted that there were data validity issues in the component\xe2\x80\x99s contractor tracking system, including\n       inaccurate start dates, as well as duplicate hash IDs;\n    \xe2\x80\xa2\t A complete and up-to-date listing of all workstations is not maintained, specifically, workstations\n       maintained within Active Directory (AD) can not be accounted for in a reasonable manner;\n    \xe2\x80\xa2\t Twenty-four out of 60,750 Active Directory (AD) workstations did not have virus protection\n       installed, which is a negligible amount. However, it could not be determined what percentage of\n       non-AD workstations have virus protection installed, as non-AD workstations do not communicate\n       with the ePolicy Orchestrator system that is used to maintain and update virus protection across the\n       component\xe2\x80\x99s workstations and networks;\n    \xe2\x80\xa2\t Non-disclosure agreements (NDA) for eight out of 45 selected contractors were signed several\n       months after their hire date. Additionally, one NDA did not have a witness signature, indicating\n       that the NDA was not appropriately completed; and\n    \xe2\x80\xa2\t Ten out of 40 selected individuals with systems access across the country did not have a signed\n       rules of behavior on record. Additionally, 11 individuals signed the rules of behavior months after\n       the component\xe2\x80\x99s requirement to sign the rules of behavior. These individuals have had access\n       during fiscal year 2009.\n4.\t Service Continuity \xe2\x80\x93 at the FEMA we noted:\n    \xe2\x80\xa2\t An alternate processing site was not established and implemented. Additionally, the approved DHS\n       waiver was expired and documented controls for restoring the system servers from back up tapes to\n       compensate for the lack of an alternate processing site were ineffective;\n    \xe2\x80\xa2\t A system\xe2\x80\x99s backup tapes were not regularly tested in accordance with policy at one DHS \n\n       component; \n\n    \xe2\x80\xa2\t A full scale testing of a system\xe2\x80\x99s contingency plan was not conducted and the plan did not\n       adequately and comprehensively include information for fully restoring the system in accordance\n       with requirements for a high impact availability system. Additionally, the waiver approved by DHS\n       that identified table-top testing as a compensating control for the component\xe2\x80\x99s inability to fully test\n       the system was expired; and\n    \xe2\x80\xa2\t An existing systems contingency plan and the disaster recovery and continuity of operations plan\n       were not current or tested for systems recovery and failover capability at the alternate processing\n       site. Additionally, the systems alternate processing facility and critical data files were not\n       documented in the existing disaster recovery and continuity of operations plan.\n5.\t Segregation of Duties \xe2\x80\x93 At the following DHS components: CBP, FEMA, ICE, and USCIS we noted:\n    \xe2\x80\xa2   Segregation of duties controls were not enforced through access authorizations in one system;\n\n\n\n                                                    7\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                       Department of Homeland Security\n                                   Information Technology Management Letter\n                                              September 30, 2009\n\n\n        \xe2\x80\xa2\t Incompatible duties that must remain segregated when granting and maintaining user access and\n           processes for segregating incompatible duties within a system are not formally documented in\n           existing policies and procedures;\n        \xe2\x80\xa2\t One system is not currently configured to restrict access to least privilege for performing job\n           functionality as required by component policy; and\n        \xe2\x80\xa2\t For one system, six users had Originator, Funds Certification Official, and Approving Official\n           profiles that were in violation of the component\xe2\x80\x99s segregation of duties policies.\nApplication Controls\n        \xe2\x80\xa2\t At CBP, a weakness in the drawback controls existed within a system. Specifically, the system does\n           not support the tracking of drawback items to the line item level. Rather, it only tracks drawbacks\n           on a summary level. This control weakness was also identified in FYs 2003 through 2008.\n           Additionally, we noted the certification of drawbacks is required before a drawback can be\n           processed. However, the system currently automatically certifies drawbacks that have not been\n           certified by a supervisor, circumventing this control.\nFinancial System Functionality\nWe noted that financial system functionality limitations are contributing to control deficiencies which are\ninhibiting progress on corrective actions in several DHS components. Systemic conditions related to financial\nsystem functionality include:\n    \xe2\x80\xa2\t Segregation of key accounting functions needs to be manually maintained because financial systems\n       cannot enforce automated segregation of duties.\n    \xe2\x80\xa2\t Financial system audit logs are not readily generated and reviewed because financial systems cannot\n       offer the necessary functionality.\n    \xe2\x80\xa2\t DHS-required system passwords are not being used because some financial systems cannot support the\n       policy.\n    \xe2\x80\xa2\t Financial systems do not provide flexible, user-friendly, functionality to completely and accurately\n       report financial data or track property, plant, and equipment information.\n    \xe2\x80\xa2\t Production versions of operational financial systems are outdated, no longer supported by the vendor,\n       and do not provide the necessary core functional capabilities (e.g., general ledger capabilities).\nOther Findings in IT General Controls\nAfter-Hours Physical Security Testing\n    We performed after-hours physical security testing to identify risks related to non-technical aspects of IT\n    security. These non-technical IT security aspects include physical access to equipment that houses financial\n    data and information residing on a DHS component employee\xe2\x80\x99s desk, which could be used by others to\n    inappropriately access financial information. The testing was performed at various DHS component\n    locations that process and / or maintain financial data. After gaining access to the facilities via a DHS\n    employee who was designated to assist with and monitor our test work, we inspected a random selection of\n    desks or offices, looking for items such as improper protection of system passwords, unsecured information\n    system hardware, documentation marked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d (FOUO), and unlocked network sessions.\n    Our selection of desks and offices was not statistically derived, and therefore we are unable to project results\n    to the component or department as a whole.\n\n\n                                                         8\n           Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\nThe after hours testing at each DHS component was performed separately over a three month period.\nDuring the initial phase of our testing it came to our attention that DHS component management became\naware of our testing efforts and notified their employees to be aware of auditors conducting random security\ntesting. As a result, there is the belief that the future testing results of the later DHS components during the\ntesting phase were compromised and fewer exceptions were identified as a result.\nFor each DHS component tested, we noted the type of unsecured information or property we identified and\nincluded the total exceptions noted by location, as well as by type of information or property identified. See\ntable below for specific details of the result of our testing at each of the components included in the scope of\nthis audit work:\n\n                                               DHS Components                                     Total\n                                                                                                Exceptions\n                                                                                                 by Type\n   Exceptions -      CBP        Coast         FEMA          FLETC           ICE        TSA\nItems Unsecured                 Guard\nPasswords             10         11             42             84            26          4          177\n\nFor Official Use      26           0             2             4              4          0           36\nOnly (FOUO)\nKeys/Badges            7           0             2             7              2          0           18\n\nPersonally            23           0             2             83            15          0          123\nIdentifiable\nInformation (PII)\nData\nServer Names/IP        2           0             1             0              2          0           5\nAddresses\nLaptops                3           2             1             6              3          0           15\n\nExternal Drives        4           0             4              2             6          0           16\nCredit Cards           2           2             0             12             1          0           17\n\nCommon Access          0           4             0             0              0          0           4\nCards (CAC)\nOther \xe2\x80\x93                0           0             0             4              2          0           6\nWorkstation\nlogged on without\nscreen saver\nactivated\nOther \xe2\x80\x93U.S.            1           0             0             0              0          0           1\nGovernment\npassport\nTotal Exceptions      78           19           54            202            61          4          418\nby Component\n\n\nSocial Engineering Testing\n\n\n\n                                                     9\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2009\n\nSocial engineering is defined as the act of attempting to manipulate or deceive people into taking action that\nis inconsistent with DHS policies, such as divulging sensitive information or allowing / enabling computer\nsystem access. The term typically applies to deception for the purpose of information gathering, or\ncomputer system access.\nDuring the course of our social engineering test work, the objective was primarily focused on attempting to\nidentify user passwords. Posing as DHS technical support employees, attempts were made to obtain this\ntype of account information by contacting randomly selected employees by telephone. A script was used to\nask for assistance from the user in resolving a network issue in the component. For each person we\nattempted to call, we noted whether the individual was reached and whether we obtained any information\nfrom them that should not have been shared with us according to DHS policy.\nThe social engineering testing at each DHS component was performed separately over a two month period.\nDuring the initial phase of our testing it came to our attention that DHS component management became\naware of our testing efforts and notified their employees to be aware of auditors conducting random security\ntesting. As a result, there is the belief that the testing results of the DHS components later in the testing\nphase were compromised and fewer exceptions were identified as a result.\nOur selection of individuals was not statistically derived, and therefore we are unable to project results to\nthe component or department as a whole.\nFor each DHS component tested, we noted the number of calls made, the number of DHS employees who\nanswered our calls and the number of DHS employees that in appropriately provided their password to the\nKPMG auditors. See table below for specific details of the result of our testing at each of the components\nincluded in the scope of this audit work:\n\n  DHS Component        Total Called     Total Answered            Number of people who provided a\n                                                                             password\n  CBP                        30                 10                     2 passwords provided\n  Coast Guard                 38                14                     1 password provided\n  FEMA                        50                15                    No passwords provided\n  FLETC                       44                20                    No passwords provided\n  ICE                        65                 20                     5 passwords provided\n  TSA                         20                 5                    No passwords provided\n        Totals               247                84                     8 passwords provided\n\n\nRecommendations: We recommend that the DHS Office of Chief Information Officer (OCIO), in\ncoordination with the OCFO, the DHS component OCIOs, OCFOs, and other appropriate component\nmanagement review each individual IT NFR appropriately to ensure that the DHS components enter the\nrecommendations as Plan of Action and Milestones in Trusted Agent FISMA, and work with the respective\ncomponents to develop corrective action plans to address the root cause and condition of each NFR.\nFinancial System Functionality Recommendation: We recommend that the DHS Office of Chief\nInformation Officer (OCIO), in coordination with the OCFO, the DHS component OCIOs, OCFOs, and\nother appropriate component management address the IT system aspects associated with the financial\nsystem functionality issues listed above, or develop compensating/mitigating controls in order to eliminate\nor reduce the associated risk.\nCause/Effect: A contributing cause to repeated findings is that DHS lacks an effective component-wide\nprioritization of financial system weaknesses, including the development of a stable centralized financial\n\n\n                                                     10\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\nsystem platform for the Department. The time and resources needed to implement corrective actions\nnecessary to mitigate these weaknesses are significant.\nThe conditions supporting our findings collectively limit DHS\xe2\x80\x99 ability to ensure that critical financial and\noperational data is kept secure and is maintained in a manner to ensure confidentiality, integrity, and\navailability. Many of these weaknesses, especially those in the area of access and configuration\nmanagement controls, may result in material errors in DHS\xe2\x80\x99 financial data that are not detected in a timely\nmanner and in the normal course of business. In addition, as a result of the presence of IT control\nweaknesses and financial system functionality weaknesses, there is added pressure on other mitigating\nmanual controls to be operating effectively at all times. Because mitigating controls often require more\nmanually performed procedures, there is an increased risk of human error that could materially affect the\nfinancial statements.\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the E-Government\nAct of 2002, mandates that Federal entities maintain IT security programs in accordance with the OMB\nguidance and other applicable requirements. In addition, OMB Circular No. A-130, Management of\nFederal Information Resources, describes specific essential criteria for maintaining effective general IT\ncontrols. Further, the Federal Financial Management Improvement Act (FFMIA) sets forth legislation\nprescribing policies and standards for Executive departments and agencies to follow in developing,\noperating, evaluating, and reporting on financial management systems. The purpose of FFMIA is to: (1)\nprovide for consistency of accounting by an agency from one fiscal year to the next, and uniform accounting\nstandards throughout the Federal Government; (2) require Federal financial management systems to support\nfull disclosure of Federal financial data, including the full costs of Federal programs and activities; (3)\nincrease the accountability and credibility of federal financial management; (4) improve performance,\nproductivity and efficiency of Federal Government financial management; and (5) establish financial\nmanagement systems to support controlling the cost of Federal Government. FFMIA requirements are\ncomplemented by Financial Systems Integration Office (FSIO) requirements, which set forth core financial\nmanagement functionality required by Federal financial systems. Finally, DHS\xe2\x80\x99 Sensitive Systems Policy,\n4300A, documents policies and procedures adopted by DHS intended to improve the security and operation\nof all DHS IT systems.\n\n\n\n\n                                                   11\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n\n              MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\nWe obtained written comments on a draft of this report from the DHS CIO, DHS Acting CFO, and DHS\nCISO. Generally, the DHS management agreed with all of our findings and recommendations. The DHS\nmanagement has developed a remediation plan to address these findings and recommendations. We have\nincorporated these comments where appropriate and included a copy of the comments at Appendix D.\nOIG Response\nWe agree with the steps that DHS management is taking to satisfy these recommendations.\n\n\n\n\n                                                12\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                 Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n\n                                     Appendix A\n\nDescription of Key Financial Systems and IT Infrastructure within the Scope of\n                the FY 2009 DHS Integrated Audit Engagement\n\n\n\n\n                                           13\n      Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n\nBelow is a description of significant financial management systems and supporting Information Technology\n(IT) infrastructure included in the scope of the engagement to perform the financial statement audit.\n\nCoast Guard (USCG)\n\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial statements for\nthe Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s Finance Center (FINCEN), in Chesapeake, Virginia\n(VA). The FINCEN is the Coast Guard\xe2\x80\x99s primary data center. CAS interfaces with two other systems\nlocated at the FINCEN, the Workflow Imaging Network System (WINS) and the Financial and Procurement\nDesktop (FPD).\n    \xe2\x80\xa2 CAS Version 4.1\n    \xe2\x80\xa2 CAS Oracle Database 9.2.0.8.0 \xe2\x80\x93 47 GB 16x750mhz RISC Processor; cgofprod.world\n    \xe2\x80\xa2 CAS Operating System \xe2\x80\x93 HP Unix 11.11; ARGUS Server\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows users to\nenter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS\nsystem and is located at the FINCEN in Chesapeake, VA.\n    \xe2\x80\xa2 FPD Oracle 9.2.0.8.0 Database \xe2\x80\x93 28 GB 12x750mhz RISC Processor; LUFS.world\n    \xe2\x80\xa2 FPD Operating System \xe2\x80\x93 HP UNIX 11.11; Dart Server\n\nWINS\nWINS is the document image processing system, which is integrated with an Oracle Developer/2000\nrelational database. WINS allows electronic data and scanned paper documents to be imaged and processed\nfor data verification, reconciliation and payment. WINS utilizes MarkView software to scan documents and\nto view the images of scanned documents and to render images of electronic data received. WINS is\ninterconnected with the CAS and FPD systems and is located at the FINCEN in Chesapeake, VA.\n    \xe2\x80\xa2 WINS Oracle 10.2.0.3 Database - 48 GB 12x750mhz RISC Processor; PROD1.world\n    \xe2\x80\xa2 WINS Operating System \xe2\x80\x93 HP Unix 11.11; Vigilant Server\n\nCheckfree\nCheckfree is a commercial product used to reconcile payment information retrieved from the United States\nDepartment of the Treasury (Treasury). It reconciles items that Treasury has paid with items CAS has sent\nto that Department. This system is hosted on a Windows server and resides at the FINCEN.\n     \xe2\x80\xa2    Oracle Database 9.2.0.8.0 \xe2\x80\x93 48 GB\n     \xe2\x80\xa2    12x750mhz RISC Processor; fundx.world\n     \xe2\x80\xa2    Checkfree Operating System - HP Unix; 11.11; ARGUS Server\n\nJoint Uniform Military Pay System (JUMPS)\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at\nthe Pay and Personnel Center (PPC) in Topeka, Kansas.\n    \xe2\x80\xa2 IBM Mainframe - z890\n    \xe2\x80\xa2 JUMPS Operating System z/OS 1.8 Base\n\n\n\n                                                   14\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                               Appendix A\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\nDirect Access\nDirect Access is the system of record and all functionality, data entry, and processing of payroll events is\nconducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand (IBM\nAOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in\nSterling, VA.\n    \xe2\x80\xa2\t Hardware - 2 Sunfire 4800, 3 Sunfire 880, 1 Sunfire 4500, and 1 Sunfire v240 server\n    \xe2\x80\xa2\t Operating System - Sun Solaris 2.8\n    \xe2\x80\xa2\t Database - Oracle 9.2.0.6\n    \xe2\x80\xa2\t Software - Peoplesoft HCM 8.0\n    \xe2\x80\xa2\t Security Software \xe2\x80\x93 Tivoli\n\nGlobal Pay (Direct Access II)\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM Application\nOn Demand (IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a\nQwest data center in Sterling, VA.\n   \xe2\x80\xa2\t Oracle RDMS v 10.x\n   \xe2\x80\xa2\t IBM x Series 336\n\nShore Asset Management (SAM)\nSAM is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC), in Martinsburg, WV. SAM provides\ncore information about the USCG shore facility assets and facility engineering. The application tracks\nactivities and assist in the management of the Civil Engineering (CE) Program and the Facility Engineering\n(FE) Program. SAM data contributes to the shore facility assets full life cycle Program management, facility\nengineering full life cycle Program management and rationale to adjust the USCG mission needs through\nplanning, budgeting, and project funding. SAM also provides real property inventory and management of all\nshore facilities, in addition to the ability to manage and track the facilities engineering equipment and\nmaintenance of that equipment.\n    \xe2\x80\xa2\t Hardware platform:-Intel MP BladeServer SBXD132, 2x Xeon Dual Core 2.66Ghz, EMT64, 4GB\n         Ram (8GB DB Servers), Mirrored 72GB SAS, 2x 1GB Network Interface\n    \xe2\x80\xa2\t Operating - Software: Windows 2003 Server Standard 5.2.3790 Service Pack 2 build 3790\n    \xe2\x80\xa2\t Security Software - McAfee Virus Scan Enterprise 8.0.0 \n\n         Database - Oracle 9i, 32 bit\n\n\nCustoms and Border Protection\n\nSAP R/3\nSAP is a client/server-based financial management system that was implemented beginning in FY 2004 to\nultimately replace the AIMS mainframe-based financial system using a phased approach. The SAP\nMaterials Management module was implemented and utilized in FY 2004. Since FY 2005, the Funds\nManagement, Budget Control System, General Ledger, Internal Orders, Sales and Distribution, Special\nPurpose Ledger, and Accounts Payable modules have been implemented. Therefore, the entire SAP R/3\nfinancial management system was included in the FY 2008 financial statement audit and is under a full\nscope ITGC review. The SAP R/3 system is located in\n\n\nAutomated Commercial System (ACS)\n\n\n\n                                                  15\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                 Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\nACS is a collection of mainframe-based applications used to track, control, and process all commercial\ngoods, conveyances and private aircraft entering the United States territory, for the purpose of collecting\nimport duties, fees, and taxes owed the Federal government. The ACS system is included in full scope in\nthe FY 2008 financial statement audit. The ACS system is located in\n\nAutomated Commercial Environment (ACE)\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. ACE is being deployed in phases, with a final full deployment scheduled for\nFY 2010. As ACE is partially implemented now and processes a significant amount of revenue for CBP,\nACE was included in a full scope for this year\xe2\x80\x99s financial statement audit. The ACE system is located in\n               .\n\nFederal Law Enforcement and Training Center (FLETC)\n\nFinancial Accounting and Budgeting System (FABS)\n   \xe2\x80\xa2 Processing Location: FLETC Headquarters in Glynco, GA\n   \xe2\x80\xa2 General System Description:\n\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the computerized\naccounting and budgeting system for FLETC. The FABS system exists to provide all of the financial and\nbudgeting transactions in which FLETC is involved. The FABS environment primarily consists of the latest\nversion of the Momentum version 6.1.6 COTS software, an Oracle 10g database and its companion Oracle\n10.2 Database Management System (DBMS). An application called \xe2\x80\x9cTuxedo,\xe2\x80\x9d also resides on a separate\nserver. The Tuxedo middleware holds 67 executable files. These files are scripts that process daily\ninformation and are not directly accessible by users. The FABS application and servers reside on the\nFLETC LAN in a Hybrid physical network topology and are accessible from four sites: Glynco, GA,\nWashington D.C., Artesia, New Mexico, and Cheltenham, MD.\n\n    \xe2\x88\x92   Hardware: Hewlett Packard ProLiant BL465c Blade Servers (web and application) and Hewlett\n        Packard ProLiant BL685c Blade Servers (database)\n    \xe2\x88\x92   Operating System: Microsoft Windows 2003 Server running on virtual machines on top of VMware\n        Infrastructure 3.5 Enterprise hypervisor on the web and application servers\n    \xe2\x88\x92   Database: Red Hat Enterprise Linux\n    \xe2\x88\x92   Security Software: FABS system does not currently have a firewall scheme and resides on FLETC\n        LAN that has a firewall in place\n\nInterfaces:\n    \xe2\x88\x92 National Finance Center (NFC) Payroll System\n    \xe2\x88\x92 Student Information System (SIS)\n    \xe2\x88\x92 Treasury Information Executive Repository (TIER)\n    \xe2\x88\x92 US Coast Guard Interface\n    \xe2\x88\x92 Kansas City Financial Center (KFC)\n\nGlynco Administrative Network\n   \xe2\x80\xa2 Processing Location: FLETC Headquarters in Glynco, GA\n   \xe2\x80\xa2 General System Description:\n\n\n\n                                                   16\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                 Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\nThe purpose of the Glynco Administrative Network (GLYADLAN) is to provide access to Information\nTechnology (IT) network applications and services to include voice to authorized FLETC personnel,\ncontractors and partner organizations located at the Glynco, Georgia facility. It provides authorized users\naccess to email, internet services, required applications such as Finical Management Systems (FMS),\nProcurement systems, Property management systems, Video conference, and other network services and\nshared resources.\n\n    \xe2\x88\x92   Hardware: Cisco ACS TACAS Server, Avaya 8700 Media Servers, Dell Poweredge servers 1750,\n        1850, 1950, 2650, 2850, 2950, and 6650.\n    \xe2\x88\x92   Operating System: Windows XP SP2 (Desktop)\n    \xe2\x88\x92   Database: Redhat Linux 4 Enterprise edition\n    \xe2\x88\x92   Security Software: ASA 5500 series firewall and static IP addresses\n\nInterfaces:\n    \xe2\x88\x92 FMS\n    \xe2\x88\x92 DHS\n\nStudent Information System (SIS)\n    \xe2\x80\xa2 Processing Location: FLETC Headquarters in Glynco, GA\n    \xe2\x80\xa2 General System Description:\n\nThe purpose of the SIS is to capture and facilitate the FLETC student registration process and billing. SIS\nstores, processes, and transmits Sensitive But Unclassified (SBU) information, which includes individual\nstudent personal information. Additional data types include specific course information (e.g., course\nnumbers, dates, associated agencies, locations, and billing costs). All users of SIS are internal to the FLETC\nnetwork. Students do not directly enter data into SIS.\n    \xe2\x88\x92 Hardware: HP Server.\n    \xe2\x88\x92 Operating System: HP-UX 11.0\n    \xe2\x88\x92 Database: Informix\n    \xe2\x88\x92 Security Software: DHS Firewall\n\nInterfaces:\n\nNo direct interconnection \n\n\nFederal Emergency Management Agency\n\nCore Integrated Financial Management Information System (IFMIS)\n   \xe2\x80\xa2 Processing Location: Mount Weather Emergency Operations Center (MWEOC) in Bluemont, VA\n\nGeneral System Description:\n\nCore IFMIS is the key financial reporting system, and has several feeder subsystems (budget, procurement,\naccounting, and other administrative processes and reporting). It was developed and is currently maintained\nby the Digital Systems Group Incorporated (DSG).\n    \xe2\x88\x92 Hardware: Two (2) HP-N4000 servers\n    \xe2\x88\x92 Operating System: HPUX (Unix) version 11.11\n    \xe2\x88\x92 Database: Oracle 9i Enterprise Edition\n    \xe2\x88\x92 Security Software: Servers are protected by a CISCO PIX Firewall\n\n                                                   17\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                           Appendix A\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2009\n\nInterfaces:\n\n    \xe2\x88\x92   NEMIS\n\n    \xe2\x88\x92   Credit Card Transaction Management System (CCTMS)\n\n    \xe2\x88\x92   Fire Grants\n\n    \xe2\x88\x92   Mitigation Grants\n\n    \xe2\x88\x92   eGrants\n\n    \xe2\x88\x92   ProTrac\n\n    \xe2\x88\x92   Payroll\n\n    \xe2\x88\x92   Department of Treasury\n\n    \xe2\x88\x92   Smartlink\n\n    \xe2\x88\x92   Treasury Information Executive Repository (TIER) \n\n\nGrants and Training (G&T) IFMIS \n\nProcessing Location: Mount Weather Emergency Operations Center (MWEOC) in Bluemont, VA \n\n\nGeneral System Description: \n\nG&T IFMIS was moved from the Department of Justice into the FEMA environment in FY 2007. The \n\nsystem stores former G&T financial information. \n\n\n    \xe2\x88\x92 Hardware: HP-N4000 server\n\n    \xe2\x88\x92 Operating System: HPUX (Unix) version 11.11 \n\n    \xe2\x88\x92 Database: Oracle 9i Enterprise Edition \n\n    \xe2\x88\x92 Security Software: Servers are protected by a CISCO PIX Firewall\n\nInterfaces:\n    \xe2\x88\x92 PARS\n\nPayment and Reporting System (PARS) \n\nProcessing Location: Mount Weather Emergency Operations Center (MWEOC) in Bluemont, VA\n\n\nGeneral System Description: \n\nPARS is a standalone web-based application that resides on the G&T IFMIS UNIX server. Through its web \n\ninterface, PARS collects and stores SF269 information from grantees. Chron jobs are run daily to update \n\nthe grant information from PARS into G&T IFMIS. Additionally, through these chron jobs, PARS is also \n\nupdated with the obligation information from G&T IFMIS to provide updated information to its users. \n\n    \xe2\x88\x92 Hardware: HP-N4000 server \n\n    \xe2\x88\x92 Operating System: HPUX (Unix) version 11.11 \n\n    \xe2\x88\x92 Database: Oracle 9i Enterprise Edition \n\n    \xe2\x88\x92 Security Software: Servers are protected by a CISCO PIX Firewall\n\nInterfaces:\n    \xe2\x88\x92 G&T IFMIS\n\nNational Emergency Management Information System (NEMIS) \n\nProcessing Location: Mount Weather Emergency Operations Center (MWEOC) in Bluemont, VA\n\n\nGeneral System Description: \n\n\n\n\n\n                                                18\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\nNEMIS is an integrated system to provide FEMA, the states, and certain other federal agencies with\nautomation to perform disaster related operations. NEMIS supports all phases of emergency management\nand provides financial related data to IFMIS via an automated interface.\n    \xe2\x88\x92 Hardware: HP Servers\n    \xe2\x88\x92 Operating System: Linux, Microsoft NT and Microsoft 2000\n    \xe2\x88\x92 Database: Replicated Oracle 10g, 9i, and 8i database\n    \xe2\x88\x92 Security Software: Servers are protected by a PIX Firewall Symantec Anti-Virus corporate edition\n        version 10.1.4.4000\nInterfaces:\n    \xe2\x88\x92 IFMIS\n    \xe2\x88\x92 US Coast Guard Credit Card System\n    \xe2\x88\x92 Small Business Administration\n\nTraverse\nProcessing Location: Lanham, MD\n\nGeneral System Description:\nTraverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent to\ngenerate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP Local\nArea Network (LAN) Windows server in Lanham, MD. The Traverse client is installed on the desktop\ncomputers of the NFIP Bureau of Financial Statistical Control group members.\n    \xe2\x88\x92 Hardware - Hewlett Packard ML530, Dual Xeon 2.8 Processors, 2 GB RAM, Redundant Array of\n        Independent Disks (RAID) Storage \n\n    \xe2\x88\x92 Operating System - Microsoft Windows Server 2003 \n\n    \xe2\x88\x92 Database - Microsoft Structured Query Language (SQL) \n\nInterfaces: \n\nNo known system interfaces\n\n\nTransaction Recording and Reporting Processing (TRRP)\nProcessing Location: Norwich, CT\n\nGeneral System Description: \n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO) \n\ncompanies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the quality of\n\nfinancial data submitted by the WYO companies to TRRP. TRRP is a mainframe-based application that\n\nruns on the NFIP mainframe logical partition in Norwich, CT. \n\n    \xe2\x88\x92 Hardware - IBM 2086-220 Mainframe with two central processing units \n\n    \xe2\x88\x92 Operating System \xe2\x80\x93 z/OS 1.4 \n\n    \xe2\x88\x92 Database - FOOCUS \n\nInterfaces: \n\nNo known system interfaces\n\n\n\n\n\n                                                   19\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                              Appendix A\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n\nImmigration and Customs Enforcement (ICE)\n\nFederal Financial Management System (FFMS)\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency financial\ntransactions. It is used to create and maintain a record of each allocation, commitment, obligation, travel\nadvance and accounts receivable issued. It is the system of record for the agency and supports all internal\nand external reporting requirements. FFMS is a commercial off-the-shelf financial reporting system and is\nbuilt on Oracle 9i Relational Database Management System running off an IBM 9170 Mainframe with ZOS\n1.9 platform. The FFMS operating system operates off an IBM ZOS, Version 1.9 Mainframe Server and\nMicrosoft Windows 2000 report servers protected by firewalls. It includes the core system used by\naccountants, FFMS Desktop that is used by average users, and a National Finance Center payroll interface.\nThe FFMS mainframe component and two network servers are hosted at the Department of Commerce\n(DOC) Office of Computer Services (OCS) facility located in Springfield, Virginia. FFMS currently\ninterfaces with the following systems:\n    \xe2\x80\xa2\t Direct Connect for transmission of DHS payments to Treasury\n    \xe2\x80\xa2\t The Travel Manager System (TMS)\n    \xe2\x80\xa2\t The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data Inquiry\n         (CADI), for the purpose of processing National Finance Center (NFC) user account and payroll\n         information.\n    \xe2\x80\xa2\t The Debt Collection System (DCOS)\n    \xe2\x80\xa2\t Bond Management Information System (BMIS) Web (starting October 31, 2008 and will replace\n         DCOS)\n\nICE Network\nThe ICE Network, also know as the Active Directory/Exchange (ADEX) E-mail System, is a major\napplication for ICE and other DHS components, such as the USCIS. The ADEX servers and infrastructure\nfor the headquarters and National Capital Area are located on the third floor of the Potomac Center North\nTower in Washington, DC. The ICE Network utilizes a hybrid mesh/hub and mesh network design to\nmaximize redundancy throughout the network. ICE operates off of Dell PowerEdge 2950, HP ProLiant DL\n385 Server, HP ProLiant BL4p Server Blade, HP BL 25P Blade Server, and EMC Symmetrix DM. ADEX\nhas implemented Microsoft Windows 2003 Enterprise Server operating system to provide directory, domain\ncontrol, and network services to clients. For security purposes, ADEX has implemented firewalls and a\nlogical Layer-3 encrypted overlay network through the use of Generic Routing Encapsulation (GRE) and\nIPSec tunneling. ADEX currently interfaces with the following systems:\n     \xe2\x80\xa2\t Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure\n\nOffice of Financial Management (OFM)/Consolidated Component\n\nDHS Treasury Information Executive Repository (DHSTIER)\nDHSTIER is the system of record for the DHS consolidated financial statements and is used to track,\nprocess, and perform validation and edit checks against monthly financial data uploaded from each of the\nDHS bureaus\xe2\x80\x99 core financial management systems. DHSTIER is administered jointly by the OCFO\nResource Management Transformation Office (RMTO) and the OCFO Office of Financial Management\n(OFM) and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.\n    \xe2\x80\xa2\t Database: Oracle DB 10g v10.3\n\n\n                                                  20\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n    \xe2\x80\xa2\t Operating System: Microsoft Windows 2003\n    \xe2\x80\xa2\t Hardware: HP ProLiant BL460c G1 server\n\nChief Financial Office VISION (CFO Vision)\nCFO Vision is a subsystem of DHSTIER used for the consolidation of the financial data and the preparation\nof the DHS financial statements. CFO Vision is also administered by RMTO and OFM and is hosted on the\nDHS OneNet at the Stennis Data Center in Mississippi.\n     \xe2\x80\xa2\t Commercial Off the Shelf (COTS) Software - SAS Financial Management Solutions version 4.3\n        (FM 4.3) with its own internal SAS database\n     \xe2\x80\xa2\t Operating System: Microsoft Windows 2003 Hardware: HP ProLiant BL460c G1 server\n\nTransportation Security Administration (TSA)\n\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial statements for\nthe Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s Finance Center (FINCEN), in Chesapeake, Virginia\n(VA). The FINCEN is the Coast Guard\xe2\x80\x99s primary data center. CAS interfaces with two other systems\nlocated at the FINCEN, the Workflow Imaging Network System (WINS) and the Financial and Procurement\nDesktop (FPD).\n    \xe2\x80\xa2\t CAS Version 4.1\n    \xe2\x80\xa2\t CAS Oracle Database 9.2.0.8.0 \xe2\x80\x93 47 GB 16x750mhz RISC Processor; cgofprod.world\n    \xe2\x80\xa2\t CAS Operating System \xe2\x80\x93 HP Unix 11.11; ARGUS Server\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows users to\nenter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS\nsystem and is located at the FINCEN in Chesapeake, VA.\n    \xe2\x80\xa2\t FPD Oracle 9.2.0.8.0 Database \xe2\x80\x93 28 GB 12x750mhz RISC Processor; LUFS.world\n    \xe2\x80\xa2\t FPD Operating System \xe2\x80\x93 HP UNIX 11.11; Dart Server\n\nSunflower\nSunflower is a customized third party commercial off the shelf (COTS) product used for TSA and Federal\nAir Marshals (FAMS) property management. Sunflower interacts directly with the OF FA module in CAS.\nAdditionally, Sunflower is interconnected to the FPD system.\n    \xe2\x80\xa2\t Sunflower Database \xe2\x80\x93 10.2.0.3 - 2 x 3.06 GB Xeon Processor \xe2\x80\x93 72 GB\n    \xe2\x80\xa2\t Sunflower Operating System \xe2\x80\x93 Red Hat Linux 4.0AS\n    \xe2\x80\xa2\t Sunflower Third Party Software \xe2\x80\x93 IBMJava 2.-131RC2\n\n\n\n\n                                                   21\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                               Appendix A\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n\nUnited States Citizenship and Immigration Services (USCIS)\n\nClaims 3 Local Area Network (LAN)\nClaims 3 LAN provides USCIS with a decentralized LAN based system that supports the requirements of\nthe Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement\nprojects. The Claims 3 LAN is located at each of the service centers (Nebraska, California, Texas,\nVermont, and the National Benefits Center). Claims 3 executes on Dell 220 S (EMC), RAID Controller,\nDisk Storage servers protected by firewalls, and Windows 2003, MS Sp2 as the operating system and\nPervasive database software and is used to enter and track immigration applications. Claims 3 interfaces\nwith the following systems:\n    \xe2\x80\xa2 CLAIMS 3 Mainframe\n    \xe2\x80\xa2 Integrated Card Production System (ICPS)\n    \xe2\x80\xa2 Receipt and Alien-File Accountability and Control System (RAFACS)\n    \xe2\x80\xa2 CLAIMS 4\n    \xe2\x80\xa2 FD-258 EE\n    \xe2\x80\xa2 E-filing\n    \xe2\x80\xa2 Benefits Biometric Support System (BBSS)\n    \xe2\x80\xa2 IBIS\n    \xe2\x80\xa2 CHAMPS\n\nClaims 4\nThe purpose of Claims 4 is to track and manage naturalization applications. Claims 4 is a client/server\napplication. Claims 4 runs off of Sunfire 890, 490, Solaris 9, and Oracle 9iR2 servers with Oracle 9i,\nWindows NT, and Windows 2000 Server operating systems and are protected by firewalls. The central\nOracle Database that runs off of Oracle Enterprise 9i is located in Washington, DC while application servers\nand client components are located throughout USCIS service centers and district offices. Claims 4\ninterfaces with the following systems:\n    \xe2\x80\xa2 Central Index System (CIS)\n    \xe2\x80\xa2 Reengineered Naturalization Automated Casework System (RNACS)\n    \xe2\x80\xa2 Computer-Linked Application Information Management System 3 (CLAIMS 3)\n    \xe2\x80\xa2 Refugee, Asylum, and Parole System (RAPS)\n    \xe2\x80\xa2 Performance Analysis System (PAS)\n    \xe2\x80\xa2 National File Tracking System (NFTS)\n    \xe2\x80\xa2 Receipt and Alien-File Accountability and Control System (RAFACS)\n    \xe2\x80\xa2 Interactive Voice Response System (IVRS)\n\n\n\n\n                                                  22\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                            Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n                               Appendix B \n\n\n  FY2009 Notice of IT Findings and Recommendations at DHS \n\n\n\n\n\n                                     23 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                 Appendix B\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist DHS in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                                   24\n       Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                            Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n                  \xc2\x83 United States Coast Guard\n\n\n\n\n\n                                     25 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                              Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                 Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                   \n\n                                                  United States Coast Guard\n\n\n\n\n                                                                                  \n\n                                                                                                                      New     Repeat   Severity\nNFR #                         Condition                                         Recommendation\n                                                                                                                      Issue    Issue    Rating\n         The current Coast Guard Instruction does not include     Update the policies and procedures currently                   X        2\n         specific guidance for the Program Managers on how        in place to include clear guidance for Program\n         to set the correct and consistent risk levels and        Managers and Contracting Officers to assign\nCG-IT-   position sensitivity designations that correspond to     contractor risk level(s) and position sensitivity\n09-10    CLINs and labor categories. Therefore, there is          designation requirements in order to verify\n         insufficient guidance over the level of clearance        that all contracts issued by the Coast Guard\n         required which may result in inconsistent risk levels    include the appropriate investigation level\n         and position sensitivity designations.                   requirements.\n         The Role-Based Industry Standards for Coast Guard        \xe2\x80\xa2 Update the Role-Based Industry Standards                    X          1\n         Information Assurance (IA) Professionals                     for Coast Guard IA Professionals\n         Commandant Instruction remains in draft form.                Commandant Instruction to include the\n                                                                      procedures by which Direct Access will\n                                                                      be used to monitor and verify that training\n                                                                      has been completed by all Coast Guard\n                                                                      Government personnel with significant\n                                                                      information security responsibilities. In\nCG-IT-                                                                addition, the instruction should include the\n09-14                                                                 procedures by which Coast Guard\n                                                                      contractor compliance will be monitored\n                                                                      and verified.\n                                                                  \xe2\x80\xa2 Finalize, communicate, and implement the\n                                                                      Role-Based Industry Standards for Coast\n                                                                      Guard IA Professionals Commandant\n                                                                      Instruction.\n                                                                  \xe2\x80\xa2 Continue with efforts to implement Direct\n                                                                      Access as the centralized method for\n\n                                                                 26\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                            Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                    New     Repeat   Severity\nNFR #                         Condition                                         Recommendation\n                                                                                                                    Issue    Issue    Rating\n                                                                      monitoring and verifying Coast Guard\n                                                                      personnel compliance with the specialized\n                                                                      role-based training requirements.\n\n         Although the Operation Systems Center (OSC) has          Develop and document comprehensive                          X          1\n         begun reviewing Shore Asset Management (SAM)             policies and procedures over the SAM audit\n         audit logs on a regular basis, detailed policies and     log review process. These policies and\nCG-IT-   procedures have not been created over the process and    procedures should establish the independence\n09-23    sufficient evidence is not maintained.                   of the reviewer, the audit logs under review,\n                                                                  and the supporting documentation\n                                                                  requirements including results and\n                                                                  remediation efforts.\n         Procedures do not include an annual review of all        Modify procedures to require an annual                      X          1\n         Workflow Imaging Network System (WINS) user              review of one hundred percent (100%) of\n         accounts, as required by the DHS 4300A Sensitive         WINS user accounts and their associated\n         Systems Handbook and required by the DHS Chief           privileges that are greater than read-only. The\nCG-IT-   Information Officer.                                     updated procedures should include steps to\n09-25                                                             verify that: a) all terminated individuals no\n                                                                  longer have active accounts, b) inactive\n                                                                  accounts are locked, and c) privileges\n                                                                  associated with each individual/role are still\n                                                                  authorized and necessary for that job function.\n         Weaknesses continued to exist over the script            Continue making improvements to implement                   X          3\n         configuration management process. Specifically,          and better document an integrated script\n         weaknesses were noted in the areas of approvals,         configuration management process that\nCG-IT-   testing, monitoring, maintaining documentation, and      includes enforced responsibilities of all\n09-31    audit logging.                                           participants in the process, and the continued\n                                                                  development of documentation requirements.\n            \xe2\x80\xa2   Coast Guard lacks a formal process to             We recommend that the Coast Guard should:\n                distinguish between the module lead\n\n\n\n                                                                 27\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                             Appendix B\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                                     New     Repeat   Severity\nNFR #                      Condition                                             Recommendation\n                                                                                                                     Issue    Issue    Rating\n            approvers for script approval requests.                \xe2\x80\xa2   Continue to design, document, implement,\n                                                                       and enforce the effectiveness of internal\n        \xe2\x80\xa2   Coast Guard Finance Center (FINCEN)\n                                                                       controls associated with the active\n            analysts may run scripts without seeking\n                                                                       (current and future) scripts.\n            further approval from the Functional\n            Supervisors for approved recurring scripts.\n                                                                   With respect to procedures already in place,\n        \xe2\x80\xa2   Testing requirements are inconsistently                Coast Guard should:\n            followed for the testing of the Recurring\n            Approval scripts and retaining evidence of             \xe2\x80\xa2   Update / Develop procedures and\n            testing.                                                   implement technical controls in the Core\n                                                                       Accounting System (CAS) and Financial\n        \xe2\x80\xa2   No reconciliation between the scripts run and\n                                                                       Procurement Desktop (FPD) databases to\n            the changes made to the database tables is\n                                                                       ensure that the appropriate monitoring and\n            being performed to monitor the script\n                                                                       review of script activities is performed\n            activities using this report as it is too difficult\n                                                                       and documented.\n            to accurately and effectively reconcile the\n            scripts to the audit log table changes.\n                                                                   \xe2\x80\xa2   Continue to update script policies and\n        \xe2\x80\xa2   The Script Tracking System does not                        procedures to include clear requirements\n            consistently include all testing, approval, and            and more detailed guidance over\n            implementation documentation for all scripts.              requesting recurring scripts, testing and\n                                                                       documentation requirements,\n        \xe2\x80\xa2   Variations in the way the Production Review                monitoring/audit log reviews, and blanket\n            Process (PRP) Approval Forms are populated                 approval requirements. Additionally,\n            and completed exist for fields such as                     ensure that the policies and procedures\n            financial impact, test strategy and baseline               include detailed guidance over the\n            determinations.                                            requirements for the testing of scripts and\n        \xe2\x80\xa2   Proper approval is not consistently obtained               associated test plans to ensure that the\n            and documented prior to the running of each                appropriate financial impact of the script\n            script.                                                    is evaluated, reviewed by the appropriate\n                                                                       personnel, tested in an appropriate test\n\n\n                                                                  28\n                Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                 Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                         New     Repeat   Severity\nNFR #                          Condition                                           Recommendation\n                                                                                                                         Issue    Issue    Rating\n                                                                         environment prior to being put into\n                                                                         production, and documented prior to\n                                                                         execution.\n\n                                                                     \xe2\x80\xa2   Further develop and implement policies\n                                                                         and procedures governing the script\n                                                                         change control process to ensure that all\n                                                                         script records within the Change\n                                                                         Management Script System are accurate\n                                                                         and complete.\n\n         Coast Guard has not created specific procedures to          Develop and finalize specific procedures over                 X          2\n         address how monthly contractor reports will be              the review of the Contractor Verification\nCG-IT-   analyzed and does not maintain supporting evidence          System reports and reconciliation of\n09-32    associated with this review.                                contractor accounts to ensure that contractor\n                                                                     data within the system remains current and\n                                                                     accurate.\n         During our FY 2009 follow-up test work, we                  \xe2\x80\xa2 Develop and document an enterprise-wide                     X          2\n         determined that Coast Guard is currently finalizing the         process that will notify all impacted\n         business process that will be used to remediate the             system owners of terminated, transferred,\n         conditions identified in the prior year NFR. Once a             or retired contractor, military, and civilian\n         business process has been finalized, a technical                personnel; and\n         implementation will occur. Currently, Coast Guard           \xe2\x80\xa2 Develop and finalize entity management\nCG-IT-\n         HQ plans to use the Direct Access Human Resources               policies and procedures for verifying that\n09-33\n         (HR) system to notify system owners of HR status                terminated user accounts have been\n         changes for all individuals within the system. This             successfully removed.\n         would include terminations. Direct Access is\n         currently undergoing a phased upgrade from\n         PeopleSoft 8.0 to PeopleSoft 9.0. Coast Guard\n         informed us that while the functionality required is not\n\n\n                                                                    29\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                            Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                    New     Repeat   Severity\nNFR #                          Condition                                          Recommendation\n                                                                                                                    Issue    Issue    Rating\n         included in the 8.0 version, it should be included in\n         the 9.0 version. At this time, where this functionality\n         fits into that upgrade schedule, has not yet been\n         determined.\n\n         In addition, Coast Guard has created a service request\n         to track its remediation efforts and has identified the\n         termination process currently conducted at Coast\n         Guard\xe2\x80\x99s Personnel and Pay Center (PPC) as a\n         potential solution. At PPC, a report is run within\n         Direct Access whenever an individual separates,\n         retires, or transfers which automatically removes\n         system permissions. However, this process currently\n         excludes contractors and civilians whose information\n         is not currently in Direct Access.\n\n         Not all WINS change requests were appropriately            \xe2\x80\xa2   Consistently enforce the newly                        X          1\n         reviewed and approved by management prior to                   implemented PRP process to ensure that\n         development and/or prior to implementation. In                 all change requests are properly reviewed\n         addition, one of the 25 WINS changes selected was              and approved prior to development and\n         identified as having a financial impact consideration          again prior to implementation.\n         to the Coast Guard Financial Statements and, as such,\n         the appropriate Financial Representative approval was      \xe2\x80\xa2   Periodically verify FINCEN compliance\nCG-IT-\n         not obtained prior to implementation. We further               with its PRP and related approval and CM\n09-34\n         noted that the criterion set forth in the Coast Guard          processes.\n         Finance Center Financial Statement Impact\n         Consideration Memo does not provide sufficient detail      \xe2\x80\xa2   Formally document detailed decision\n         to assist in making a determination regarding the              criteria to be used when determining if a\n         financial impact of a proposed change.                         change has a financial impact.\n\n\n\n                                                                   30\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                           Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                   New     Repeat   Severity\nNFR #                          Condition                                          Recommendation\n                                                                                                                   Issue    Issue    Rating\n         During our FY 2009 follow up, we determined that           \xe2\x80\xa2 Perform the initial background                          X        2\n         Coast Guard actively monitors all civilians to verify          investigations for civilian employees in\n         whether they have a valid background investigation on          accordance with the DHS directives over\n         record. We received documentation from Coast                   position sensitivity designations; and\n         Guard that identified 94 individuals with an\n         outstanding investigation. This number has been            \xe2\x80\xa2   Conduct civilian background re-\n         reduced significantly from the approximately 350               investigations as required by DHS\n         individuals identified in FY 2008.                             directives, to ensure that each civilian\n                                                                        employee has a favorably adjudicated,\n         Coast Guard continues vetting individuals based on             valid, and required background\n         the Office of Personnel Management (OPM)                       investigation.\n         requirements which require a National Agency Check\n         and Inquiries (NACI) investigation for those position\n         designations with the lowest risk. A NACI consists of\n         written inquiries and searches of records covering\nCG-IT-\n         specific areas of a person\'s background during the past\n09-40\n         five years including current and past employers,\n         schools attended, references, and local law\n         enforcement authorities.\n\n         However, all DHS government positions that use,\n         develop, operate, or maintain IT systems are\n         considered at least moderate risk (not low), and per\n         DHS, 4300A requirements, an Minimum Background\n         Investigation (MBI) is the minimum standard of\n         investigation. The MBI consists of the NACI as well\n         as a credit record search, face-to-face personal\n         interview between the investigator and the subject,\n         and telephone inquiries to selected employers.\n         Therefore, Coast Guard is not in compliance with\n         these DHS requirements.\n\n                                                                   31\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                         Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat   Severity\nNFR #                         Condition                                        Recommendation\n                                                                                                                 Issue    Issue    Rating\n\n         In addition, Coast Guard does not complete\n         background re-investigations due to the lack of the\n         requirement under current OPM guidance for low risk\n         positions even though re-investigations must be\n         completed every 10 years for moderate risk positions\n         per DHS Management Directive (MD) 11050.2,\n         Personnel Security and Suitability Program.\n\n\n         As a result of our audit test work and supported by     \xe2\x80\xa2   Continue to implement and improve                     X          3\n         all the IT NFRs issued during the current year, we          upon the monitoring of compliance with\n         determined that Coast Guard is non-compliant with           DHS, Coast Guard, and Federal security\n         the Federal Financial Management Improvement                policies and procedures in the areas of\n         Act (FFMIA) and we believe that Coast Guard has             the script configuration management\n         not fully addressed the recommendations in NFR              controls.\n         CG-IT-08-42.\n                                                                 \xe2\x80\xa2   Develop and implement corrective\n                                                                     action plans to address and remediate\nCG-IT-                                                               the NFRs issued during the FY 2009\n09-42                                                                audit. These corrective action plans\n                                                                     should be developed from the\n                                                                     perspective of the identified root cause\n                                                                     of the weakness both within the\n                                                                     individual NFR and across related\n                                                                     NFRs. The IT NFRs should not be\n                                                                     assessed as individual issues to fix, but\n                                                                     instead, should be assessed collectively\n                                                                     based upon the control area where the\n                                                                     weakness was identified. This approach\n\n\n                                                                32\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                               Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                       New     Repeat   Severity\nNFR #                           Condition                                          Recommendation\n                                                                                                                       Issue    Issue    Rating\n                                                                         enables corrective action that is more\n                                                                         holistic in nature, thereby leading to a\n                                                                         more efficient and effective processes of\n                                                                         addressing/fixing the controls that are\n                                                                         not operating effectively.\n\n         Coast Guard procedures do not include a review of all       Modify procedures to require an annual                      X          2\n         UMS user accounts, as required by DHS 4300A                 review of one hundred percent (100%) of\n         Sensitive Systems Handbook and required by the              UMS user accounts and their associated\n         DHS-CIO. A full 100% review of accounts that                privileges that are greater than read-only. The\nCG-IT-   exceed \xe2\x80\x98read-only\xe2\x80\x99 access would ensure that all             updated procedures should include steps to\n09-43    terminated individuals no longer have active accounts,      verify that all terminated individuals no\n         that inactive accounts are locked, and that privileges      longer have active accounts, that inactive\n         associated with all UMS users are authorized and            accounts are locked and that privileges\n         necessary.                                                  associated with each individuals are still\n                                                                     authorized and necessary.\n         Access was not authorized for two of the 15                 Include the badge software database during         X                   1\n         individuals we tested who possessed badges allowing         the data center access review process to\nCG-IT-\n         FINCEN data center access.                                  ensure that no unauthorized individuals have\n09-45\n                                                                     badges that would allow them access to the\n                                                                     FINCEN data center.\n         During our testing, we determined that all previous         Implement the corrective actions for the           X                   1\n         year conditions listed in NFRs CG-IT-08-36 and CG-          recommendations listed within the NFR.\n         IT-08-37 were properly remediated by USCG. As\nCG-IT-   part of this year\xe2\x80\x99s testing, we identified nine security\n09-46    configuration management weaknesses (i.e., missing\n         security patches and/or incorrect configuration\n         settings) on hosts supporting CAS and FPD.\n\nCG-IT-   Direct Access passwords do not require a special       Through our test work, we determined that the           X                   1\n09-47    character, which is a requirement set forth within DHS control weakness was remediated prior to the\n\n                                                                    33\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                              Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                      New     Repeat   Severity\nNFR #                           Condition                                         Recommendation\n                                                                                                                      Issue    Issue    Rating\n         4300A Sensitive Systems Policy Directive.                  fiscal year-end; therefore, no recommendation\n                                                                    is required for this NFR.\n         Global Pay accounts are configured to expire after         Through our test work, we determined that the      X                   1\n         five (5) invalid login attempts, rather than three (3),    control weaknesses were remediated prior to\nCG-IT-\n         which is a requirement set forth within DHS 4300A          the fiscal year-end, therefore, no\n09-48\n         Sensitive Systems Policy.                                  recommendation is required for this NFR.\n\n         The quarterly JUMPS audit log review addresses             Review audit logs containing unusual activity      X                   1\n         unusual activity or unexplained access attempts which      and unexplained access attempts on an at least\n         DHS 4300A Sensitive Systems Policy Directive               monthly basis to meet the requirements set\n         requires to be done on a monthly basis.                    forth in DHS 4300A, perform the necessary\nCG-IT-                                                              follow up on any incidents identified and\n09-49                                                               maintain sufficient evidence of the audit log\n                                                                    reviews, and include copies of audit logs in\n                                                                    hard copy or electronic form and evidence\n                                                                    that the review of the audit logs was\n                                                                    conducted.\n         Not all Direct Access failed logon attempts are logged     \xe2\x80\xa2 Identify the Direct Access application           X                   1\n         or reviewed; and account management audit logs for             security-oriented audit logs that should be\n         the Direct Access application are not reviewed on a            reviewed and then have the application\n         monthly basis, which is a requirement set forth within         system administrators review those Direct\n         the DHS Sensitive Systems Policy Directive.                    Access application security logs on at\n                                                                        least a monthly basis, in accordance with\nCG-IT-                                                                  DHS Policy.\n09-50\n                                                                    \xe2\x80\xa2   Additionally, we recommend that the\n                                                                        Coast Guard upgrade to a more current\n                                                                        version of PeopleSoft and Oracle so that it\n                                                                        uses a vendor supported product with\n                                                                        more robust security controls and so that\n                                                                        accountability may be established to\n\n                                                                   34\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                         New     Repeat   Severity\nNFR #                          Condition                                            Recommendation\n                                                                                                                         Issue    Issue    Rating\n                                                                          document changes to security settings and\n                                                                          user profiles.\n         Only the last modification to the user account is            Review role change logs on at least a monthly       X                   1\n         documented by the COTS PeopleSoft application                basis, in compliance with DHS Policy.\n         software, making it difficult to establish accountability\n         for role changes within the Global Pay application.\nCG-IT-\n09-51\n         Additionally, role changes for the Global Pay\n         Application are not reviewed on a monthly basis,\n         which is a requirement set forth within DHS Policy.\n\n         100% of Direct Access user accounts with greater             Modify procedures to require an annual              X                   2\n         than read-only access are not reviewed annually to           review of one hundred percent (100%) of\n         verify that access remains appropriate, per the DHS          Direct Access user accounts and their\n         4300A Sensitive Systems Handbook and required by             associated privileges that are greater than\nCG-IT-   the DHS-CIO.                                                 read-only. The updated procedures should\n09-52                                                                 include steps to verify that all terminated\n                                                                      individuals no longer have active accounts,\n                                                                      that inactive accounts are locked and that\n                                                                      privileges associated with each individual are\n                                                                      still authorized and necessary.\n         During our after hours physical testing, we identified       \xe2\x80\xa2 Review its policies and procedures                X                   1\n         11 passwords, two unsecured laptops, two credit                   regarding Protection of Sensitive\n         cards, and four Common Access Cards (CAC).                        Information and update where required in\n                                                                           order to address DHS and other Federal\nCG-IT-   During our social engineering testing, we were                    requirements, with emphasis being placed\n09-53    provided with one password.                                       on the potential impacts of not\n                                                                           consistently and adequately protecting this\n                                                                           sensitive information.\n                                                                      \xe2\x80\xa2 Review, and update as required, its\n                                                                           security awareness/training content to\n\n                                                                     35\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                                                        Appendix B\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n                                                                                                New     Repeat   Severity\nNFR #           Condition                                     Recommendation\n                                                                                                Issue    Issue    Rating\n                                                    address the updated Protection of\n                                                    Sensitive Information policies and\n                                                    procedures.\n                                                \xe2\x80\xa2   Validate the effectiveness of the updated\n                                                    policies and procedures and associated\n                                                    training through mechanisms such as\n                                                    scheduled and unscheduled desk/floor\n                                                    reviews, awareness training testing, etc.\n                                                    and take appropriate corrective action to\n                                                    address any issued identified during this\n                                                    validation.\n\n\n\n\n                                              36\n        Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                                            Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n            Department of Homeland Security \n\n             FY2009 Information Technology \n\n Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n                     \xc2\x84   Customs and Border Patrol\n\n\n\n\n                                     37 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                             Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                           U.S. Customs and Border Protection\n\n                                                                                                              New     Repeat     Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                              Issue    Issue    Rating\n             During testing, we were informed that all       We recommend that CBP implement                             X        2\n             data had not been completely captured from      procedures to have              data regularly\n             all organizations within CBP to ensure a        reviewed and updated by             to ensure\n             complete and accurate listing                   the most accurate data is in the       for use\nCBP-IT-09-               . Additionally, through             by all of CBP.\n   03        inspection of data on current contractors,\n             we noted that there were data validity issues\n             in the system,\n                                                 .\n\n             We noted that                    is installed   We recommend that CBP research, identify                   X          2\n             on a significant majority of workstations at    and implement a method to consistently\n             CBP. These workstations are on the              account for all CBP workstations and\n                               system. However, we           perform regular reviews to ensure that all\n             noted that there are a significant number of    CBP workstations have           or some\nCBP-IT-09-\n             non-     workstations that do not appear on     future solution, appropriately applied.\n   12\n             the        listing of workstations, as\n             maintained by the          administrators.\n             We noted that these workstations do not\n             have                   installed as required.\n\n\n\n\n                                                               38\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                           Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat     Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                            Issue    Issue    Rating\n             We noted that while progress has been           We recommend that CBP work with                           X        2\n             made in accounting for all CBP                  administrators across the country to ensure\n             workstations, a complete and up-to-date         that new and existing workstations are\n             listing of all CBP workstations is not          added to a centralized accounting structure\n             maintained. Specifically, We noted that         such as AD or some other more appropriate\n             workstations maintained within Active           solution, if identified, to allow for all\n             Directory (AD) can be accounted for in a        workstations to be accounted for in an\nCBP-IT-09-\n             reasonable manner. However, workstations        appropriate fashion.\n   13\n             that are not in AD are difficult to account\n             for, as they are not part of the Active\n             Directory structure and can only be\n             identified when connecting to the network,\n             which may not occur regularly (i.e., laptops,\n             unused equipment, etc).\n\n             We noted that when changes to a user\xe2\x80\x99s          We recommend that the review of these                    X          2\n             ACS access profile are performed, the log       logs is implemented on a periodic basis by\nCBP-IT-09-   of these events is not regularly reviewed by    an independent reviewer and that CBP\n   21        personnel independent from those                formalize these procedures in detail for the\n             individuals that made the changes.              review of ACS security profile change logs.\n\n             We noted that authorizations are still not      We recommend that CBP implement                          X          2\n             being maintained for personnel that have        procedures that have been developed to\n             administrator access to           .             restrict access to mainframe administrative\nCBP-IT-09-   Procedures have been implemented to             capabilities and require documented\n   27        require documented authorization however        authorization requests and approval for each\n             evidence could not be provided that these       person requiring access to the mainframe\n             procedures are being implemented                administrative capabilities.\n             appropriately.\n\n\n\n\n                                                               39\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security                                        Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                        New     Repeat     Risk\n  NFR #                      Condition                                +Recommendation\n                                                                                                        Issue    Issue    Rating\n             We selected 45 individuals that had          We recommend that CBP develop a                          X        2\n             separated in FY 2009 and noted that 19 of    standardized method of maintaining the\n             these individuals did not have a completed   CBP-241 forms to ensure that all forms for\nCBP-IT-09-   CBP-241 form on file. Additionally, We       all separating employees are completed in a\n   29        noted that two forms provided for two        timely manner and are easily accessible.\n             different individuals were incomplete and\n             lacked a supervisor\xe2\x80\x99s signature.\n\n             We noted that 24 out of 60,750 Active        We recommend that CBP research, identify                X          2\n             Directory (AD) workstations, or 0.04         and implement a method to consistently\n             percent, did not have antivirus installed,   account for all CBP workstations and\n             which is a negligible amount. However,       perform regular reviews to ensure that all\n             We could not determine what percentage of    CBP workstations have virus protection\nCBP-IT-09-   non-AD workstations have virus protection    installed and that it is regularly updated.\n   34        installed, as non-AD workstations do not\n             communicate with the ePolicy Orchestrator\n             system that is used to maintain and update\n             virus protection across CBP workstations\n             and networks.\n\n\n\n\n                                                            40\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                             Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                              New     Repeat     Risk\n  NFR #                       Condition                                   +Recommendation\n                                                                                                              Issue    Issue    Rating\n             We noted that a Customs Directive was            We recommend that CBP review the current                   X        2\n             provided as separation procedures for            Customs Directive and update it to reflect\n             contractors and that this directive was dated    the current operating environment.\n             September 2001. The directive references         Additionally, We recommend that CBP\n             Treasury policies as source documentation.       require the consistent and accurate\n             This directive is out of date, as CBP is no      completion of the CBP-242 forms for all\n             longer a part of the Department of Treasury.     separating contractors.\n             A new directive was issued requiring the\n             use of the Contractor Tracking System;\nCBP-IT-09-   however, the new directive still refers to the\n   41        old directive, which has not been updated.\n\n             Additionally, We noted that CBP-242\n             contractor separation forms are not\n             completed consistently for separating CBP\n             contractors. Specifically, we noted that\n             three separated contractors out of 45\n             selected had their forms completed over one\n             month after they separated from CBP.\n\n             We noted that non-disclosure agreements          We recommend that CBP implement a more                    X          2\n             are still not consistently being signed by       consistent method of ensuring that\n             contractors at CBP. Specifically, we noted       contractors sign an NDA. We also\n             that NDAs for eight out of 45 selected           recommend that COTRs regularly review\nCBP-IT-09-   contractors were signed many months after        their contractors and ensure that there is an\n   44        their hire date. Additionally, we noted that     NDA for each contract under their\n             one NDA did not have a witness signature,        supervision.\n             indicating the NDA was not appropriately\n             completed.\n\n\n\n\n                                                                41\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                          Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                           New     Repeat     Risk\n  NFR #                       Condition                                 +Recommendation\n                                                                                                           Issue    Issue    Rating\n             Parameters for all mainframe audit and         We recommend that CBP properly                            X        2\n                                                            configure mainframe audit and system\n                                                            utility logs to capture appropriate data for\n                                                 are not    the NDC Mainframe system.\n             configured to collect appropriate data.\nCBP-IT-09-\n             Specifically, We noted that one out of the\n   45\n             six mainframe audit and system utility logs,\n                            , did not produce any data\n             during the time of testing due to an\n             inaccurate filtering configuration.\n\n             We noted the following weaknesses related      We recommend that CBP create detailed                    X          2\n             to the ACS Security Audit Logs                 procedures that document the review\n             procedures:                                    process for ACS profile change logs that\n                                                            includes the documented evidence of\n             \xe2\x80\xa2   Procedures do not define how often the     review.\n                 ACS security profile change audit logs\n                 are reviewed.\nCBP-IT-09-   \xe2\x80\xa2   Procedures do not describe the\n   48            documented how evidence of the\n                 review process is created by the ACS\n                 Information System Security Officer\n                 (ISSO)/Independent Reviewer.\n             \xe2\x80\xa2   Procedures do not define the sampling\n                 methodology that is used to select ACS\n                 profile change security logs for review.\n\n\n\n\n                                                              42\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat    Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                            Issue    Issue   Rating\n             We noted that ACE audit logs are not being      We recommend that CBP implement the              X                2\n             reviewed on a regular basis. We noted that      procedures that have been established for\n             procedures have been established, which         reviewing ACE audit logs on a weekly basis\nCBP-IT-09-   requires that audit logs and events be          to be in compliance with DHS guidelines.\n   56        reviewed on a weekly basis. However, at\n             this time, procedures have not been\n             implemented effectively.\n\n             We noted that five out of the 25 sampled        We recommend that CBP conduct a more            X                 2\n             audit logs did not contain any audit log        thorough review of audit logs to ensure that\n             information, such as login attempts,            logs are capturing all necessary information\n             intruder detected, login failed, Access         and that no blank logs exist. Further, CBP\n             Control List (ACL) changed, object              should ensure that audit logs are configured\n             activity, etc. We did not receive audit log     properly to capture all information and\nCBP-IT-09-   information for the following five selected     activity on the system.\n   57        dates:\n             \xe2\x80\xa2 February 16, 2009\n             \xe2\x80\xa2 April 1, 2009\n             \xe2\x80\xa2 April 7, 2009\n             \xe2\x80\xa2 April 19, 2009\n             \xe2\x80\xa2 May 4, 2009\n\n             We noted that          passwords were not       As this condition was addressed during the      X                 2\n             required to be case sensitive for a period of   course of the audit fieldwork, therefore we\n             time during our testing and therefore did       have no further recommendation to CBP.\nCBP-IT-09-   not meet CBP and DHS requirements.\n   58        Further testing has shown that passwords\n             currently are required to be case sensitive\n             and that issue has now been resolved.\n\n\n\n\n                                                               43\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security                                       Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                          New     Repeat    Risk\n  NFR #                      Condition                                 +Recommendation\n                                                                                                          Issue    Issue   Rating\n             We noted that formal procedures do not         We recommend that CBP create and                X                2\n             exist that describe the mainframe audit        implement formal procedures to document\nCBP-IT-09-   process and how to generate the system         the generation of mainframe audit and\n   59        utility log reports for the mainframe ISSO\xe2\x80\x99s   system utility logs.\n             review.\n\n             We noted that one user was allowed 1,476       We recommend an adjustment to the Access       X                 2\n             failed attempts to access a dataset to which   Response control option to result in the\n             they were not authorized before their access   immediate suspension of any user who\n             was suspended in the              . We         exceeds the specified number of violations,\nCBP-IT-09-   determined that the control option in the      which should be set a reasonably low\n   60        security software, which results in            number.\n             immediate suspension of any user who\n             exceeds the specified number of violations,\n             was not configured properly.\n\n\n\n\n                                                              44\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security                                        Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                           New     Repeat    Risk\n  NFR #                      Condition                                 +Recommendation\n                                                                                                           Issue    Issue   Rating\n             We noted that there are six individuals       We recommend that CBP devote adequate             X                2\n             within OIT that are in critical sensitive     resources to the completion of periodic\n             positions and have not had their periodic     reinvestigations and initial investigations\n             reinvestigations completed within the five    that are due for all CBP personnel.\n             year time frame. Specifically, of these six   Additionally, we recommend that CBP\n             individuals, We noted the following:          devote special attention to those individuals\n             \xe2\x80\xa2 Two individuals in critical positions had   in critical sensitive positions requiring\n                 their reinvestigations completed a year   initial or periodic reinvestigations.\nCBP-IT-09-\n                 or longer later than they should have\n   61\n                 been.\n             \xe2\x80\xa2 Four individuals in critical positions\n                 should have had their reinvestigations\n                 completed and are several months late.\n                 Of these four individuals, one has not\n                 had their investigation status updated\n                 since August 2002.\n\n             We noted that the requirement to sign a       We recommend that CBP implement a more           X                 2\n             rules of behavior is not implemented          consistent method of ensuring that all\n             consistently. Out of 40 individuals with      individuals with CBP systems access sign a\n             systems access across the country, ten        rules of behavior form. We also\n             individuals did not have a signed rules of    recommend that methods be developed to\n             behavior form on record. Additionally, 11     ensure that individuals with access to any\nCBP-IT-09-\n             individuals signed the rules of behavior      and all CBP systems have a rules of\n   62\n             form months after the CBP Chief               behavior form signed.\n             Information Officer (CIO\xe2\x80\x99s) requirement to\n             sign the rules of behavior. These\n             individuals have had access during fiscal\n             year 2009.\n\n\n\n\n                                                             45\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat    Risk\n  NFR #                       Condition                                 +Recommendation\n                                                                                                            Issue    Issue   Rating\n             We noted that         is not configured to     We recommend that CBP ensure that the             X                2\n             disable accounts after 45 days of inactivity   Change Request to implement this control is\n             for the full fiscal year, as required by CBP   completed, appropriately approved and\nCBP-IT-09-\n             and DHS policy.                                implemented to disable accounts after 45\n   63\n                                                            days of inactive as required by CBP and\n                                                            DHS policy.\n\n             We determined that ISAs for all identified     We recommend that CBP develop a                  X                 2\n             participating government agencies have not     consistent and uniform naming scheme for\n             been documented as required by CBP and         all current and future ACS connections to\n             DHS policies.                                  facilitate the identification of all existing\nCBP-IT-09-                                                  ACS connections as well as to facilitate in\n   64                                                       the reconciliation of existing ISAs. Finally,\n                                                            we recommend that once all ACS mission\n                                                            connections have been identified, that the\n                                                            appropriate ISAs are produced.\n\n             We inspected access request documentation      We recommend that CBP implement                  X                 2\n             for 45 individuals who were granted ACE        procedures to consistently document the\n             access during FY 2009. Initial access          access requests and approvals for any and\n             requests and approvals for 30 of these         all access creations and changes to ACE\n             individuals could not be provided.             users.\nCBP-IT-09-\n             Although confirmation that access is\n   65\n             appropriate was provided for these 30\n             individuals, access approvals prior to the\n             creation of the account were not\n             maintained.\n\n\n\n\n                                                              46\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat    Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                            Issue    Issue   Rating\n             We noted that CBP portal accounts for           We recommend that CBP investigate and            X                2\n             separated employees are removed on a bi-        implement a method to disable CBP\n             weekly basis and are not removed on the         accounts for separated employees and\n             day of the individual\xe2\x80\x99s separation as           contractors upon their separation or before,\nCBP-IT-09-   required by CBP and DHS policy.                 as determined appropriate by        security\n   66        Additionally, We noted that one contractor      management and Human Resources.\n             who had        access had separated from\n             CBP but the account was not disabled until\n             some time after they had separated.\n\n             We inspected access request documentation       We recommend that CBP implement                 X                 2\n             for 45 individuals who had their                procedures to consistently document the\n             access profiles modified during FY 2009.        access requests and approvals for any and\n             Access change requests and approvals for        all access creations and changes to\n             14 of these individuals could not be            user profiles.\nCBP-IT-09-\n             provided. Although confirmation that the\n   67\n             access is appropriate was provided for these\n             14 individuals, access approvals prior to the\n             modification of the account were not\n             maintained.\n\n             During our technical testing, patch and         During our technical testing, patch and         X                 2\n             configuration management exceptions were        configuration management exceptions were\nCBP-IT-09-   identified on the                               identified on the\n   68                           . These conditions can                          . The recommendations\n             be found in the table within the actual NFR.    to address these conditions can be found in\n                                                             the table within the actual NFR.\n\n\n\n\n                                                               47\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                         Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                             New     Repeat    Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                             Issue    Issue   Rating\n             We inspected profile change reviews             We recommend that the review of these             X                2\n             performed by CBP management for                 access change logs is implemented on a\n             changes to SAP access profiles and noted        periodic basis by an independent reviewer\n             that the profile review was ineffective.        and that CBP modify their procedures to\n             Specifically, We noted that only access         ensure that all types of access changes\n             deletes were tested in the review. These        (adds, deletes and modifications) are\n             deletes remove an individual\xe2\x80\x99s access and       reviewed to ensure that appropriate requests\nCBP-IT-09-   do not increase an individual\xe2\x80\x99s access.         and approvals were documented.\n   69        Additions of new users and modification to\n             user ID\xe2\x80\x99s (change/addition of profiles) were\n             not part of the selected access changes that\n             were reviewed. The review only consisted\n             of deleted accounts and did not review any\n             new accounts that had been added during\n             the review period.\n\n             We noted that a memo was issued by the          We recommend that procedures be                  X                 2\n             Component Chief Information Security            formalized around the process for granting\n             Officer (CISO) to limit                         temporary and emergency access to\n             temporary/emergency access to          to no    developers to ensure that access to these\n             more than four times per month. We noted        sensitive roles is restricted appropriately.\n             that the policy was adjusted to restrict        Specifically, we recommend that CBP\nCBP-IT-09-\n             access to 25 times per user, per role, over a   ensure controls are in place to confirm a\n   70\n             six month period. Taking into account this      user is authorized to be granted the role and\n             new control, We noted that during FY            that the individual had not been granted that\n             2009, there was one individual who was          role more than authorized by the\n             granted access to a temporary/emergency         Component CISO over a certain period of\n             role 43 times over a six month period.          time.\n\n\n\n\n                                                               48\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat    Risk\n  NFR #                       Condition                                  +Recommendation\n                                                                                                            Issue    Issue   Rating\n             We noted that out of a selected 25 instances    We recommend that CBP continue to                X                2\n             in which emergency access was granted to        implement processes to appropriately\n                  users, four individuals did not have       restrict and authorize access to temporary\n             Chief Information Security Officer (CISO)       and emergency roles within         .\n             approval for their emergency access.\nCBP-IT-09-   Additionally, we noted that there was one\n   71        instance in which the emergency access was\n             granted in error without authorization and\n             three instances where the improper form\n             was used to request emergency/temporary\n             access.\n\n             We noted that        is not currently           We recommend that the         Security          X                 2\n             configured to restrict access to least          Team continue to work with the Office of\n             privilege for performing job functionality as   Finance to identify incompatible roles and\nCBP-IT-09-   required by CBP policy.                         that procedures are developed as part of the\n   72                                                        access control process to ensure that these\n                                                             role combinations are not granted to\n                                                             users.\n\n\n\n\n                                                               49\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                         Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                             New     Repeat    Risk\n  NFR #                       Condition                                 +Recommendation\n                                                                                                             Issue    Issue   Rating\n             We inspected access documentation for          We recommend that CBP develop and                  X                2\n             three National SCOs created in FY 2009         implement procedures to restrict access to\n             and 37 Field SCOs created in FY 2009 and       the Field and National SCO roles and\n             noted the following exceptions:                require documented authorization requests\n                                                            and approval for each person requiring\n             \xe2\x80\xa2   Two of the three National SCOs were        access to the      administrative\n                 not authorized and their roles were        capabilities.\n                 added by mistake.\n             \xe2\x80\xa2   One National SCO was approved\nCBP-IT-09-       through a manual recertification and\n   73            initial authorization request and/or\n                 approval could not be provided.\n             \xe2\x80\xa2   36 of the 37 Field SCO\xe2\x80\x99s initial\n                 authorization and approval could not\n                 provided. Instead, a recertification was\n                 provided, though the recertification did\n                 not note who performed the\n                 recertification and what authorization\n                 they had to perform the recertification.\n\n             Multiple incidents of unprotected CBP          We recommend that CBP review their                X                 2\n             information systems and data were found as     information system security awareness\n             a result of physical security walkthroughs.    programs to ensure that individuals are\n             Additionally, passwords were obtained          adequately instructed and reminded of their\n             from two CBP employees through social          roles in the protection of both electronic and\nCBP-IT-09-   engineering techniques.                        physical CBP data and hardware.\n   74                                                       Additionally, CBP employees and\n                                                            contractors should be made especially\n                                                            aware of the need to protect personally\n                                                            identifiable information as well as\n                                                            information marked \xe2\x80\x9cFor Official Use\n                                                            Only.\xe2\x80\x9d\n\n                                                              50\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                      Department of Homeland Security                      Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n         \xc2\x83 Federal Emergency Management Agency \n\n\n\n\n\n                                     51 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                    Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                            Department of Homeland Security\n\n\n\n\n                                                                                    \n \n\n                                             FY2009 Information Technology\n                                 Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                 \n\n                                         Federal Emergency Management Agency\n\n\n\n\n                                                                                          \n\n                                                                                                            New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                            Issue    Issue       Rating\nFEMA-    Password, patch management, and configuration       Implement the specific corrective actions                 X           3\nIT-09-   management weaknesses were identified during        listed in the NFR for each technical control\n  02     vulnerability assessment technical testing.         weakness identified.\n         Note: Due to the nature of this finding, see the\n         tables in associated NFR for the specific details\n         of the conditions.\n\n\n\n\n                                                               52\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                      Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                              Issue    Issue       Rating\nFEMA-    The process outlined for the Core Integrated        \xe2\x80\xa2    Revise applicable FEMA policies and                    X           3\nIT-09-   Financial Management Information System                  procedures to require that any accounts\n  03     (FMIS) recertification that initiated on January         which are not positively verified during\n         12, 2009, required that a new FEMA Form 20-24            the periodic review of IFMIS accounts for\n         be approved and submitted to the Financial               recertification are revoked until a new\n         Systems Section (FSS) for all current IFMIS              approved FEMA Form 20-24 is received\n         users, and also required revocation of any               by FSS personnel.\n         accounts that could not be validated. However,\n         we noted that the requirement to revoke access is   \xe2\x80\xa2    Dedicate resources to ensure that\n         not documented in the Office of the Chief                consistent application of FEMA\n         Financial Officer (OCFO) Procedures for                  policies/procedures and DHS policy is\n         Granting Access to IFMIS or FEMA Instruction             performed by revoking access for all\n         2200.7, IFMIS User Access Policy and                     IFMIS application accounts not validated\n         Procedures.                                              through submission of a new FEMA Form\n                                                                  20-24 as part of the periodic account\n         We reviewed access authorization documentation           review.\n         for a selection of 40 active Core IFMIS user\n         accounts, noted that two accounts did not have a\n         FEMA Form 20-24 completed after January 12,\n         2009, and concluded that the accounts were not\n         appropriately recertified and validated as\n         belonging to current users. Additionally, access\n         for the two accounts was not revoked, per the\n         process described in the memorandum.\n\n\n\n\n                                                                 53\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security\n                                                                                                                        Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                        Condition                                       Recommendation\n                                                                                                                Issue    Issue       Rating\nFEMA-    During the FY 2009 follow-up testwork, we              Develop and implement policies and                         X           2\nIT-09-   noted that FEMA has obtained and distributed a         procedures documenting the process of\n  06     reference guide that documents the purpose of          adding, deleting, and modifying Core IFMIS\n         Core IFMIS system security functions and their         system security functions to ensure that the\n         associated permissions and configuration options.      proper controls are in place for modifying\n         However, the guide does not include policies and       user account privileges. Additionally, these\n         procedures addressing process requirements for         policies and procedures should include\n         adding, deleting, and modifying Core IFMIS             requirements over the monitoring of the usage\n         system security functions. We also determined          of function modification privileges,\n         that no additional policies and procedures have        configuration changes implemented for Core\n         been developed by FEMA or the IT developer of          IFMIS system security functions, and\n         IFMIS that establish a process for implementing        requirements over updating system\n         change controls for the maintenance of system          documentation for changes in the system\n         security functions and their associated privileges.    security functions.\n         FEMA management represented to us that access\n         to the security menu is limited, individuals with\n         access to the menu do not use their privileges to\n         delete, create, or modify functions, and changes\n         are made to Core IFMIS system security\n         functions through the standard change control\n         process. However, we noted there are no\n         controls in place to restrict and/or monitor the use\n         of these privileges to ensure that system security\n         functions are not modified, created, or deleted.\n         Based on our testwork, we concluded that a\n         formalized process for modifying specific Core\n         IFMIS system security functions to ensure that\n         appropriate privileges are created, documented,\n         approved, and monitored does not exist.\n\n\n\n\n                                                                  54\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                      Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                              Issue    Issue       Rating\nFEMA-    The standard operating procedure (SOP) for          \xe2\x80\xa2    Dedicate resources to complete the on-                 X           3\nIT-09-   recertification of NEMIS positions has not been          going review of NEMIS user access for\n  12     finalized and implemented to require a semi-             FY 2009 and perform subsequent reviews,\n         annual review of all user roles within the NEMIS         as required by DHS policy.\n         Access Control System (NACS), including\n         privileges related to access to specific NEMIS      \xe2\x80\xa2    Finalize and fully implement formal\n         applications and modules.                                procedures for conducting the NEMIS\n                                                                  recertification process and retaining\n         Furthermore, we determined that FEMA                     auditable records, in accordance with\n         Enterprise Operations staff completed                    DHS policy.\n         development of the technical infrastructure\n         within NACS to support the recertification effort\n         at the end of FY 2008. However, we determined\n         that the FY 2008 recertification of\n         NEMIS/NACS roles was not completed and\n         FEMA initiated but did not complete the FY\n         2009 recertification that was scheduled for\n         completion by April 30, 2009.\nFEMA-    During FY 2009, we performed test work over         \xe2\x80\xa2    Evaluate and, if appropriate, revise                  X            3\nIT-09-   security controls in place for Core IFMIS,               existing procedures over removal of\n  13     NEMIS, and the FEMA iPass/virtual private                separated user access to IT systems to\n         network (VPN) remote access system, including            identify weaknesses that contribute to\n         follow-up testing on the prior year finding.             untimely removal of separated individuals\n                                                                  from the information systems.\n         Through comparison of active Core IFMIS,\n         NEMIS, and iPass/VPN remote access accounts         \xe2\x80\xa2    Ensure that procedures and processes are\n         against a list of FEMA employees that had                implemented consistently to remove\n         separated from employment since October 1,               system and application accounts for all\n         2008 and determined that 1 Core IFMIS account,           separated users immediately upon\n         62 NEMIS accounts, and 28 iPass/VPN accounts             notification of separation, in accordance\n         remained active and unlocked after the account           with FEMA, DHS, and NIST guidance.\n         holder\xe2\x80\x99s separation from FEMA. Additionally,\n\n\n                                                                 55\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                      Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                              Issue    Issue       Rating\n         of the 28 active iPass/VPN accounts, we\n         determined that 11 also had at least one active\n         NACS role, indicating active remote access\n         privileges to both the FEMA network and\n         NEMIS.\n\nFEMA-    During the FY 2009 follow-up testwork, we           Implement compensating controls to address                 X            2\nIT-09-   noted that FEMA has a SOP that outlines the         the risk associated with the segregation of\n  17     controls intended to address the risk associated    duties weakness related to developers making\n         with the Core IFMIS developers having the           changes to the production environment.\n         ability to migrate changes to the Core IFMIS        Specifically, FEMA should develop and\n         production environment. The SOP, in particular,     implement policies and procedures for\n         requires the locking and unlocking of the ifmiscm   conducting periodic reviews to verify that\n         account during the implementation of software       only authorized changes are made to the Core\n         changes into production by system                   IFMIS production directories and\n         administrators. However, we determined that no      subdirectories by developers using the\n         formal procedures or processes are documented       ifmiscm account. Additionally, the policies\n         for performing reviews to verify that only          and procedures should include requirements\n         authorized changes to the ifmiscm directory and     for retention of auditable evidence of the\n         sub-directories are implemented into production     reviews that are performed.\n         by the developers. Additionally, we determined\n         that although informal reviews of the directories\n         were performed during the fiscal year, they were\n         not routinely completed, and documented\n         evidence of the reviews performed was not\n         retained.\n\nFEMA-    FEMA Enterprise Operations personnel informed       \xe2\x80\xa2    Revise the SOP, Monitoring Sensitive                  X            3\nIT-09-   us that the SOP, Monitoring Sensitive Access to          Access to NEMIS, to ensure that it states\n  19     NEMIS, was developed to outline the process for          that the scope of the procedures includes\n         monitoring sensitive access to the NEMIS                 all servers defined in up-to-date system\n         operating system. Based upon our review of the           documentation as supporting NEMIS\n\n                                                                 56\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                          Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                  New     Repeat        Risk\nNFR #                       Condition                                         Recommendation\n                                                                                                                  Issue    Issue       Rating\n        SOP, we noted that a list of NEMIS servers that             system software within system boundaries\n        are considered to be within the scope of the SOP            for the financial applications and modules.\n        are listed, but that specific hosts and server\n                                                               \xe2\x80\xa2    Acquire and deploy appropriate tools on\n        designations are not clearly defined. In\n                                                                    system software and operating systems\n        particular, approximately 30 separate IT\n                                                                    supporting the NEMIS financial\n        components are described and certain servers\n                                                                    applications to generate audit trails and\n        supporting web-facing applications for\n                                                                    records in accordance with FEMA and\n        registration, applicant inquiry, and assistance\n                                                                    DHS policy.\n        processing are listed. However, based on\n        additional testwork and corroborative inquiry of       \xe2\x80\xa2    Implement the SOP, Monitoring Sensitive\n        NEMIS personnel, we determined that at least                Access to NEMIS, by reviewing and\n        170 operating system servers for NEMIS are not              retaining audit trails and records in\n        comprehensively included in the scope of the                accordance with FEMA and DHS policy.\n        SOP.\n        Additionally, FEMA informed us that outlined\n        procedures for conducting the required reviews\n        of audit trails every three days and retaining\n        evidence for at least a year have not been\n        implemented and the NEMIS operating system\n        activity is not currently being logged or\n        monitored. Additionally, we noted that no\n        application or tool is currently in place to support\n        the audit logging function on the NEMIS Linux\n        server.\n        Consequently, we concluded that FEMA has\n        partially addressed the prior year\n        recommendation by including review and\n        retention requirements in the SOP for monitoring\n        NEMIS activity. However, the SOP has not been\n        implemented on the operating system software\n        supporting NEMIS and does not include all\n\n\n                                                                   57\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                            Department of Homeland Security\n                                                                                                                     Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                             New     Repeat        Risk\nNFR #                       Condition                                     Recommendation\n                                                                                                             Issue    Issue       Rating\n         NEMIS operating system servers within its\n         scope.\n\n\nFEMA-    During our FY2009 follow-up testwork, we noted \xe2\x80\xa2        Continue and complete efforts required to             X            3\nIT-09-   that FEMA was unable to take corrective action          establish and implement an alternate\n  22     to establish and implement an alternate                 processing site for NEMIS according to\n         processing site for the NEMIS application.              DHS 4300A.\n         Additionally, a current waiver over the lack of an\n         alternate processing site did not exist.           \xe2\x80\xa2    Until an alternate processing site is\n                                                                 established, develop and submit a waiver\n         FEMA security personnel described                       for approval in accordance with DHS\n         compensating controls surrounding the                   policy regarding waivers, and ensure that\n         contingency planning process. Specifically,             compensating controls over the alternate\n         FEMA management informed us that in FY 2009             processing site are effective and\n         the NEMIS Contingency Plan was partially tested         documentation of their effectiveness is\n         through an annual table-top exercise to restore         maintained as auditable records.\n         five of the NEMIS servers from backup tapes at\n         the Mt. Weather Emergency Operations Center\n         (MWEOC). Furthermore, FEMA management\n         informed us that compensating controls were also\n         provided through performance of full backups of\n         critical NEMIS data on a regular basis and the\n         transfer of these tapes to an offsite backup\n         storage facility. However, during further\n         testwork and analysis, we determined that there\n         were weaknesses in the compensating controls\n         described by FEMA management. In particular,\n         we noted that while the contingency plan was\n         tested, a full restore of all the of the NEMIS\n         servers was not performed. Additionally, backup\n         tapes for NEMIS are not fully tested on a\n         periodic basis. (Please refer to NFRs FEMA-IT-\n\n\n                                                                58\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                        Condition                                       Recommendation\n                                                                                                                 Issue    Issue       Rating\n         09-24 and FEMA-IT-09-25 for further\n         information.)\n\n\nFEMA-    In FY 2009, we conducted follow up procedures         Periodically test NEMIS backup tapes at a                   X            2\nIT-09-   to determine if FEMA had implemented                  frequency that is in compliance with FEMA\n  24     corrective action for the prior year finding and      and DHS policy.\n         determined that NEMIS backup tapes were not\n         regularly tested during FY 2009.\n\nFEMA-    During our FY 2009 audit, we conducted follow         \xe2\x80\xa2    Update the NEMIS Contingency Plan so                   X            2\nIT-09-   up procedures and determined that full-scale               that it meets the requirements of DHS\n  25     testing of the NEMIS Contingency Plan, in                  policy for high impact availability\n         accordance with DHS requirements for high                  systems. Additionally, ensure that the\n         impact availability systems, has not been                  plan comprehensively addresses the\n         conducted. FEMA provided us with the testing               numerous sub-systems within NEMIS so\n         results of limited table top testing that was              that detailed information exists over the\n         performed to test the local restoration for four of        current system architecture, critical\n         approximately 170 servers that comprise NEMIS.             processing priorities, detailed SOPs for\n         However, the DHS-approved waiver obtained in               systems recovery and other required\n         FY 2008 that listed table-top testing as a                 components in accordance with DHS\n         compensating control for FEMA\xe2\x80\x99s inability to               guidance.\n         fully test NEMIS, was expired.\n                                                               \xe2\x80\xa2    Conduct documented annual tests of the\n         In FY 2009 we also determined that the existing            NEMIS Contingency Plan that address all\n         NEMIS Contingency Plan does not adequately                 critical phases of the plan and update the\n         and comprehensively include information                    plan with lessons learned, as necessary\n         required by DHS policy for systems with high               and in accordance with DHS and NIST\n         impact availability. For example, we noted the             requirements.\n         following weaknesses:\n         \xe2\x80\xa2   Detailed information over NEMIS system            \xe2\x80\xa2    If the NEMIS contingency plan cannot be\n             architecture such, as the database and server          tested in accordance with DHS guidance\n\n\n                                                                   59\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                 Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                         New     Repeat        Risk\nNFR #                       Condition                                     Recommendation\n                                                                                                         Issue    Issue       Rating\n             names and information over the various             for high impact availability systems,\n             modules of NEMIS, was not appropriately            FEMA should develop, implement, and\n             documented to reflect the current operating        document effective compensating and\n             environment.                                       mitigating controls.\n         \xe2\x80\xa2 The contingency plan did not include detailed\n             procedures necessary to fully restore the\n             NEMIS application in the event of an\n             emergency.\n         \xe2\x80\xa2 System/Application Recovery Priority\n             Classification have not been defined.\n         \xe2\x80\xa2 Service Level Agreements and Memorandum\n             of Understandings (MOU) were not included\n             in the plan.\n         \xe2\x80\xa2 The Business Impact Analysis included in the\n             contingency plan was completed in 2004 and\n             not adequately documented.\nFEMA-    In FY 2009, we performed follow-up testwork         We recommend that FEMA, in accordance                 X            3\nIT-09-   over NEMIS non-emergency system changes that        with DHS and FEMA policy, ensure that\n  28     occurred under the process established during the   when implementing the new NEMIS non-\n         time frame of October 1, 2008 to February 28,       emergency change control process that all\n         2009 prior to the change in the NEMIS               required approvals are obtained prior to\n         development contractors. Specifically, of the 25    development and implementation of\n         NEMIS non-emergency application level System        changes into production. Additionally,\n         Change Requests (SCR) tested, we noted the          FEMA should ensure that the appropriate\n         following exceptions:                               testing is conducted and that the testing\n                                                             documentation is appropriately retained\n         \xe2\x80\xa2   Seven of 25 SCRs did not obtain documented\n                                                             according to FEMA and DHS policy.\n             SCR approval prior to development;\n         \xe2\x80\xa2   21 of 25 SCRs did not obtain documented\n             Technical Development Laboratory (TDL)\n             approval prior to implementation in the test\n             environment;\n\n\n                                                               60\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                     Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                             New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                             Issue    Issue       Rating\n         \xe2\x80\xa2   Two of 25 SCRs did not obtain documented\n             Technical Review Committee (TRC)\n             approval prior to implementation into\n             production; and\n         \xe2\x80\xa2   Eight of 25 SCRs did not have testing\n             documentation to demonstrate that testing\n             occurred.\n\nFEMA-    We tested a selection of three NEMIS emergency       We recommend that FEMA, in accordance                    X            3\nIT-09-   application level SCRs that occurred in the time     with DHS and FEMA policy, ensure that\n  29     frame of October 1, 2008 to February 28, 2009        when implementing the new NEMIS\n         before NEMIS configuration management                emergency change management process that\n         responsibility was transitioned to the new           all required approvals are obtained prior to\n         contractor. Of the three SCRs tested, we noted       development and implementation of\n         that one was missing the required initial approval   changes into production. Additionally,\n         prior to moving the change into the TDL              FEMA should ensure that the appropriate\n         environment for testing.                             testing is conducted and that the testing\n                                                              documentation is appropriately retained\n                                                              according to FEMA and DHS policy.\n\nFEMA-     In FY 2009, we performed follow-up test work         Continuing with our prior year                          X            1\nIT-09-   and determined that the NFIP contractor had          recommendation, NFIP should document\n  38     documented system roles and had implemented          Traverse duties that are incompatible and\n         capabilities for enforcing segregation of duties     develop and implement policies and\n         for users within the Traverse application            procedures for properly segregating\n         currently. Also, as a mitigating control, the NFIP   incompatible duties within the system when\n         contractor reviews a User Log report generated       granting and maintaining access.\n         by Traverse for each financial user\xe2\x80\x99s system\n         access, which is reviewed and signed off on\n         every month to ensure that the appropriate\n         privileges are assigned. However, incompatible\n         duties that must remain segregated when granting\n\n                                                                61\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security\n                                                                                                                           Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                   New     Repeat        Risk\nNFR #                        Condition                                        Recommendation\n                                                                                                                   Issue    Issue       Rating\n         and maintaining user access to the Traverse\n         application have not been documented.\n         We were also reviewed the Traverse Standard\n         Operating Procedure (SOP) for Financial\n         Processes and noted that it states that a Traverse\n         user log is produced to show appropriate user\n         access to perform accounting duties and usage of\n         the Traverse accounting system. However, the\n         SOP does not include policies and procedures\n         regarding segregating incompatible duties within\n         Traverse.\nFEMA-    The Traverse and TRRP Contingency Plan has            \xe2\x80\xa2    Complete the documentation and testing                   X            2\nIT-09-   not been tested, and a test of the system fail-over        of the TRRP and Traverse Contingency\n  39     capability at the alternate processing site has not        Plan, to include all critical phases of the\n         been conducted. Also, we did not receive the               plan in accordance with DHS policy\n         requested NFIP Certification & Accreditation               requirements for high impact systems. In\n         (C&A) package that includes the Traverse and               addition, NFIP should conduct a test of\n         TRRP Contingency Plan and the test results. As             the system fail-over capability at the\n         a result, we determined that a current                     alternate processing site and ensure that\n         contingency plan for the TRRP and Traverse                 TRRP and Traverse processing is tested in\n         applications does not exist.                               accordance with DHS guidance.\n         At the time of our audit testwork, we were            \xe2\x80\xa2    Revise the NFIP Bureau and Statistical\n         informed that due to delays in implementation of           Agent Disaster Recovery and Continuity\n         the new system of record, NFIP and the NFIP IT             of Operations Plan to incorporate the\n         contractor had initiated efforts FEMA\xe2\x80\x99s Chief              Traverse and TRRP alternate processing\n         Information Security Officer (CISO) to recertify           facility and the TRRP critical data files in\n         and accredit the NFIP legacy system and update             accordance with DHS guidance for high\n         and test the Traverse and TRRP Contingency                 impact systems. Additionally, the revised\n         Plan and NFIP Bureau and Statistical Agent                 plan should be tested and updated with\n         Disaster Recovery and Continuity of Operations             lessons learned from the testing.\n         Plan.\n\n\n                                                                   62\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                          Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                  New     Repeat        Risk\nNFR #                        Condition                                        Recommendation\n                                                                                                                  Issue    Issue       Rating\n         Furthermore, the NFIP Bureau and Statistical\n         Agent Disaster Recovery and Continuity of\n         Operations Plan provided for auditor review does\n         not incorporate the Traverse and TRRP alternate\n         processing facility or TRRP critical data files.\n\nFEMA-    We determined that access for Core IFMIS              Review and revise the Office of the Chief                    X            3\nIT-09-   Oracle database users was appropriately               Financial Officer\xe2\x80\x99s existing Procedures for\n  45     documented and authorized. Thus, this portion of      Granting Access to IFMIS to require\n         the prior year recommendation, as it relates to the   authorization of new and modified Core\n         Core IFMIS database, is closed.                       IFMIS user accounts by supervisors, program\n                                                               managers, and contracting officers\xe2\x80\x99 technical\n         Additionally, we reviewed a selection of 40 Core\n                                                               representatives (COTRs) in accordance with\n         IFMIS Forms 20-24 (access request forms) for\n                                                               DHS guidance. The requirements should also\n         users who were either new IFMIS users during\n                                                               include the retention of Core IFMIS access\n         the fiscal year or whose access profile changed\n                                                               authorization documentation.\n         during the fiscal year outside of the\n         recertification process. We determined that of        \xe2\x80\xa2    Develop and implement of policies and\n         the 40 active application users tested:                    procedures over periodic recertification of\n                                                                    all user access to the Core IFMIS Oracle\n         \xe2\x80\xa2   Two users did not have a completed Form\n                                                                    database, and retain auditable records in\n             20-24 on file;\n                                                                    accordance with DHS policies and\n         \xe2\x80\xa2   FEMA was unable to provide evidence that\n                                                                    procedures as evidence that\n             the initial account creation of ten accounts\n                                                                    recertifications are conducted and\n             during FY 2009 were authorized; and\n                                                                    completed periodically. Additionally, if\n         \xe2\x80\xa2   FEMA was unable to provide evidence that               the Core IFMIS/G&T IFMIS merger is\n             modifications to account privileges for ten            performed in FY 2010, ensure that a\n             accounts were authorized.                              recertification of IFMIS Oracle accounts\n         FEMA management additionally informed us that              is performed prior to the merger.\n         recertification of IFMIS Oracle database accounts\n         had not been performed during FY 2009.\n         Consequently, we concluded that while certain\n\n\n                                                                   63\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                                 Issue    Issue       Rating\n         corrective actions to address weaknesses over\n         Core IFMIS account management have been\n         implemented, FEMA has not consistently\n         maintained documentation for initial account\n         creation or subsequent account modification for\n         the application, and FEMA has not developed or\n         implemented a process to recertify accounts on\n         the IFMIS Oracle database.\nFEMA-    We determined that a MOU and Interconnection          No recommendation is required for this                      X            1\nIT-09-   Sharing Agreement (ISA) was documented,              weakness that existed for the majority of FY\n  46     accepted, and signed by FEMA and the                 2009 because it was remedied on April 22,\n         Department of Treasury on April 22, 2009.            2009 when the MOU and ISA were signed by\n         Consequently, while the prior-year                   FEMA and Treasury management.\n         recommendation was addressed, the\n         interconnection was operating without authority\n         for a majority of the fiscal year and the NFR is\n         re-issued.\nFEMA-    During the FY 2009 audit, we were informed that      Complete planned corrective actions to                       X            3\nIT-09-   internal vulnerability scans are conducted every     develop and implement an SOP that outlines\n  48     month on the NEMIS systems. However, FEMA            the process for formally reporting and\n         personnel informed us that identified                tracking resolution of weaknesses identified\n         vulnerabilities and related corrective actions are   during internal NEMIS vulnerability scans in\n         reported and tracked via emails and not              accordance with DHS guidance.\n         documented in POA&Ms.\n\nFEMA-    During FY 2009 follow-up testwork, we obtained       \xe2\x80\xa2    Revise and implement policies and                       X            3\nIT-09-   evidence that \xe2\x80\x9csuperuser\xe2\x80\x9d activity reports for            procedures that document requirements\n  50     CORE IFMIS were appropriately reviewed by                 for configuring, retaining, and reviewing\n         FSS personnel in accordance with FEMA and                 audit trails for the Core IFMIS application\n         DHS policy. Consequently, this portion of our             and database, in accordance with DHS\n         recommendation for prior year NFR FEMA-IT-                policy. Additionally, ensure that all DHS\n\n\n                                                                  64\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                            Department of Homeland Security\n                                                                                                                        Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                                Issue    Issue       Rating\n         08-50 is closed.                                        requirements are met through this process,\n                                                                 including appropriate supervisory review\n         However, FSS personnel informed us that failed\n                                                                 and retention.\n         database login attempts and activity performed\n         by application users with the \xe2\x80\x9csuperuser\xe2\x80\x9d role     \xe2\x80\xa2    Implement configurations on the Core\n         remain the only forms of activity logged and            IFMIS application and database in\n         monitored for Core IFMIS. Other activity on the         accordance with DHS policy to ensure\n         application and database required to be logged by       that audit logs sufficiently record required\n         DHS policy, including successful logins, access         auditable events and activities.\n         modifications, and changes to user profile, are\n         not enabled within Core IFMIS. Additionally,\n         we noted that a procedure does not exist to\n         establish the process for reviewing and retaining\n         evidence of these logs once the configurations are\n         implemented.\n         FEMA reported in the FY 2008 audit remediation\n         plan that internal instructions describing the\n         review process for these two reports were\n         documented. We reviewed the SOP, Monitoring\n         of IFMIS Database Audit Logs, and determined it\n         addresses the process for reviewing the daily\n         Oracle failed login report. However, documented\n         instructions concerning the review of weekly\n         \xe2\x80\x9csuperuser\xe2\x80\x9d reports were not provided to us\n         during the audit.\nFEMA-    During our FY 2009 integrated test work, IT         Revise and enforce the SOP for Handling of                   X            3\nIT-09-   Enterprise Operations personnel informed us that   Oracle Audit Logs to ensure that the\n  51     the SOP for Handling of Oracle Audit Logs was      procedures are developed and implemented in\n         implemented for the databases specified in the     accordance with DHS guidance, to include:\n         SOP and that evidence of audit log reviews are\n                                                                 \xe2\x80\xa2   All databases within the defined\n         retained. However, we noted that weaknesses in\n                                                                     system boundaries that support\n         NEMIS database audit controls still exist, as\n\n                                                                65\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                            Department of Homeland Security\n                                                                                                                      Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                      Condition                                       Recommendation\n                                                                                                              Issue    Issue       Rating\n        follows:                                                     NEMIS financial applications and\n        \xe2\x80\xa2   During our inspection of the SOP, we noted               modules within the scope of the SOP;\n            that it requires the procedures to be               \xe2\x80\xa2    Requirements for audit logging and\n            performed for two specific NEMIS                         retention of audit trails;\n            databases, the National Processing Service          \xe2\x80\xa2    Periodic reviews of audit trails for\n            Center (NPSC) database and the                           NEMIS databases; and\n            Consolidated Master database. However,               \xe2\x80\xa2   Appropriate segregation of duties\n            through additional testwork, we noted that               principles.\n            NEMIS has at least 23 databases.                 Implement configurations on NEMIS\n            Consequently, not all of the databases that      databases in accordance with DHS policy\n            comprise NEMIS are included within the           over required auditable events and activities.\n            scope of the SOP, and we were informed by\n            IT Enterprise Operations personnel that no\n            additional SOPs exist that address auditing\n            logging for the remaining 21 databases.\n        \xe2\x80\xa2   The SOP has not been updated to require that\n            successful logins, access modifications,\n            highly privileged user account activity, and\n            changes to user profiles are logged and\n            reviewed.\n        \xe2\x80\xa2   On four of the NEMIS databases related to\n            financial processing that we selected for\n            testing, we determined that configurations are\n            not fully enabled so that a review of audit\n            trails and activity defined by DHS policy\n            requirements can be completed.\n        \xe2\x80\xa2   Based on our review of audit log\n            documentation, we noted that reviews of\n            audit logs for NEMIS databases are\n            performed by the database administrators\n            (DBAs) who have been assigned\n\n                                                               66\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                      Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                        Condition                                      Recommendation\n                                                                                                              Issue    Issue       Rating\n             administrator privileges to administer the\n             databases. Thus, we determined that\n             database audit log review duties are not\n             appropriately segregated from DBA duties.\n\nFEMA-    In FY 2009, we performed follow-up testwork           We recommend that FEMA dedicate the                      X            3\nIT-09-   and were informed that FEMA is currently in the       appropriate resources to complete efforts to\n  52     process of updating the NEMIS patch                   document, finalize, and implement\n         management policy and that the finalized policy       comprehensive patch management policies\n         had not been implemented. However, FEMA               and procedures for NEMIS, in accordance\n         could not provide us with a copy of the requested     with DHS policy. Additionally, FEMA\n         draft policy that was reported as under               should ensure that these procedures include\n         development for our review. Based on additional       requirements for responding to DHS Security\n         inquiry, we also determined that the timeframe        Operations Center (SOC) and DHS Computer\n         for implementing patches on FEMA systems has          Security Incident Response Center (CSIRC)\n         not been established, in accordance with DHS          notifications to ensure compliance with the\n         guidance.                                             timely implementation of required patches.\n\nFEMA-    During our FY 2009 audit, we reviewed FEMA\xe2\x80\x99s          Ensure that NEMIS SSP is updated in                      X            2\nIT-09-   Remediation Plan and we noted that FEMA               accordance with DHS policy so that the\n  53     management had reported that corrective action        system\xe2\x80\x99s boundaries, components, and\n         to update the NEMIS SSP had been fully                responsibilities surrounding the various\n         implemented. We obtained the NEMIS SSP                subsystems and major applications of NEMIS\n         dated February 16, 2009 for our review and noted      are accurately and comprehensively\n         that the plan had been revised since our prior year   documented in the plan.\n         audit. However, upon further inspection, we\n         determined that the current plan does not fully\n         document the system\xe2\x80\x99s boundaries, define all of\n         the NEMIS subsystems and major applications,\n         nor establish security responsibilities for the\n         various system components.\n\n\n\n                                                                 67\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                    Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat        Risk\nNFR #                       Condition                                    Recommendation\n                                                                                                            Issue    Issue       Rating\n\n\n\n\nFEMA-    In FY 2009, KPMG performed testwork over           We recommend that NFIP management                         X            2\nIT-09-   Traverse configuration management. Upon            ensure the implementation of an updated\n  54     inspection of the System Change Control            version of the current Traverse configuration\n         Procedures, that address Traverse configuration    management procedures that comprehensively\n         management, we noted that the procedures           addresses FEMA and DHS requirements.\n         outline steps for controlling changes during the\n         change control process for Traverse. However,\n         the procedures do not include comprehensive\n         configuration management guidance that\n         addresses the following elements required by\n         FEMA and DHS policy:\n         \xe2\x80\xa2   configuration identification\n         \xe2\x80\xa2   configuration control\n         \xe2\x80\xa2   version control\n         \xe2\x80\xa2   configuration status accounting\n         \xe2\x80\xa2   configuration audits\n         \xe2\x80\xa2   Establishing a Change Control Board (CCB)\n             or TRC for evaluating changes prior to\n             production.\n\n\n\n\n                                                              68\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                                Issue    Issue       Rating\nFEMA-    Based on observations conducted with FSS and         \xe2\x80\xa2    Revise the formal process for reviewing        X                    3\nIT-09-   G&T IFMIS database personnel, we identified               and disabling inactive G&T IFMIS Oracle\n  56     the following weaknesses in database security             database user accounts to adhere to DHS\n         controls:                                                 policy over disabling inactive accounts on\n                                                                   high impact systems.\n         \xe2\x80\xa2    A manual review of inactive G&T IFMIS\n              database accounts is performed on a monthly     \xe2\x80\xa2    Configure all G&T IFMIS Oracle\n              basis to disable accounts which have not             database user accounts to adhere to DHS\n              been used in the past 90 days. However,              policy for passwords and authenticator\n              since IFMIS is categorized as a high impact          controls.\n              system, reviews are required to identify\n              accounts that have been inactive for 45 days.   \xe2\x80\xa2    Establish a formal process for granting\n                                                                   emergency and temporary IFMIS G&T\n         \xe2\x80\xa2 Emergency and temporary access to the G&T\n                                                                   database access that includes segregation\n              IFMIS database, including access for\n                                                                   of duties considerations and appropriate\n              contractor development personnel, is\n                                                                   approval from FEMA management in\n              approved by the FSS Chief and/or their staff,\n                                                                   accordance with DHS policy.\n              not by the FEMA CISO/Information System\n              Security Manager (ISSM) or a designee, as\n              required by DHS policy.\nFEMA-    Based on observations conducted with FSS and         \xe2\x80\xa2    Configure the G&T IFMIS databases to                                3\nIT-09-   G&T IFMIS database personnel, we determined               log events and retain audit records in\n  57     that Oracle database audit trails are not                 accordance with DHS policy; and\n         configured to capture any activity, including\n         failed login attempts or administrator-level         \xe2\x80\xa2    Develop and implement policies and\n         actions.                                                  procedures surrounding the requirements\n                                                                   for G&T IFMIS database audit logging to\n                                                                   include the periodic review of database\n                                                                   audit logs in accordance with DHS policy.\nFEMA-    Based on collaborative inquiry with FSS and          \xe2\x80\xa2    Establish a formalized process for the        X                     3\nIT-09-   application and database administrators, we               recertification of the G&T IFMIS\n  58     concluded that a management review to validate            application and database accounts or\n         the appropriateness of G&T application and                include G&T IFMIS in the scope of the\n\n\n                                                                  69\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                            Department of Homeland Security\n                                                                                                                      Appendix B\n                                         Information Technology Management Letter\n                                                    September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                      Condition                                      Recommendation\n                                                                                                              Issue    Issue       Rating\n         Oracle database user accounts has not been              formalized processes for the\n         formally implemented or performed by FSS this           recertification of Core IFMIS application\n         fiscal year. Additionally, FSS management               and database accounts. Additionally,\n         further informed us that no recertification of          ensure that the established processes are\n         accounts was conducted when the application             developed and implemented in accordance\n         was acquired and brought online at FEMA in FY           with DHS guidance.\n         2007 and has not been conducted since.\n                                                            \xe2\x80\xa2    Conduct an immediate recertification of\n                                                                 user account access on the G&T IFMIS\n                                                                 application and Oracle database to\n                                                                 validate the continued appropriateness of\n                                                                 access as being commensurate with job\n                                                                 responsibilities.\nFEMA-    In FY 2009, we performed test work over the        \xe2\x80\xa2    Limit the contracted developers\xe2\x80\x99 access to    X                     3\nIT-09-   G&T \xe2\x80\x9cifmiscm\xe2\x80\x9d account, to determine the                 the G&T IFMIS production environment\n  59     controls in place for the migration of changes          to \xe2\x80\x9cread only\xe2\x80\x9d and segregate the\n         into production. The \xe2\x80\x9cifmiscm\xe2\x80\x9d account is used          responsibility for deploying application\n         by the FEMA development contractor to deploy            code changes into production from the\n         changes into the UNIX production environment.           contractor to an independent control\n         Per our review, we noted that the G&T IFMIS             group.\n         application programmers responsible for\n         maintaining and developing changes for the G&T     \xe2\x80\xa2    If business need requires that the\n         IFMIS application are also responsible for              segregation of duties cannot be\n         migrating application code changes into the             immediately implemented, FEMA should\n         production environment using the \xe2\x80\x9cifmiscm\xe2\x80\x9d              document policies and procedures to\n         account. Additionally, when we inspected the            mitigate the risk associated with the\n         account, the G&T \xe2\x80\x9cifmiscm\xe2\x80\x9d account was not              segregation of duties weakness noted in\n         locked on May 15, 2009, which allowed the               accordance with DHS guidance.\n         contractor unrestricted access to the production\n         environment. We were further informed by\n         FEMA personnel that access to that account is\n         not limited or monitored on a periodic basis.\n\n\n                                                                70\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                           Department of Homeland Security\n                                                                                                                    Appendix B\n                                        Information Technology Management Letter\n                                                   September 30, 2009\n\n                                                                                                            New     Repeat        Risk\nNFR #                      Condition                                     Recommendation\n                                                                                                            Issue    Issue       Rating\nFEMA-    During our testwork, we concluded that the       We recommend that NFIP immediately work             X                    2\nIT-09-   \xe2\x80\x9cLegacy NFIP IT System\xe2\x80\x9d C&A pertaining to the    with FEMA\xe2\x80\x99s CISO to complete the\n  60     Traverse application, TRRP application, and      recertification and accreditation of the NFIP\n         NFIP LAN expired on October 4, 2008.             legacy system in accordance with applicable\n         Consequently, the legacy system has since been   DHS policies and Federal guidance.\n         operating without a current Authorization to\n         Operate (ATO). Furthermore, we were not\n         provided the requested NFIP C&A package\n         consisting of the following artifacts:\n         \xe2\x80\xa2   FIPS 199 Categorization\n         \xe2\x80\xa2   Privacy Impact Assessment\n         \xe2\x80\xa2   E-Authentication\n         \xe2\x80\xa2   Risk Assessment\n         \xe2\x80\xa2   SSP\n         \xe2\x80\xa2   Contingency Plan\n         \xe2\x80\xa2   Security Test and Evaluation\n         \xe2\x80\xa2   Contingency Plan Testing\n         \xe2\x80\xa2   Security Assessment Report\n         \xe2\x80\xa2   ATO\n         \xe2\x80\xa2   Annual NIST SP 800-53-based Self-\n             Assessments\n\nFEMA-    The G&T instance of IFMIS was brought online     \xe2\x80\xa2    Formally designate an ISSO and DAA for        X                     3\nIT-09-   at FEMA in FY 2007 after acquisition from the         G&T IFMIS.\n  61     Department of Justice. However, we determined\n         that a C&A of the system had not been            \xe2\x80\xa2    Immediately work with FEMA\xe2\x80\x99s\n         performed, and the system has not received an         Information Security Office to certify and\n         ATO. Specifically, the following C&A elements         accredit the G&T IFMIS instance in\n         have not been completed, documented, or               accordance with applicable DHS policies\n         approved for G&T IFMIS and will not be for the        and Federal guidance. If FEMA\n\n\n                                                              71\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                         Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                        Condition                                       Recommendation\n                                                                                                                 Issue    Issue       Rating\n         remainder of the fiscal year:                             management makes a business decision to\n                                                                   conduct a C&A of IFMIS after the merger\n         \xe2\x80\xa2   FIPS 199 categorization\n                                                                   and not over the existing G&T IFMIS\n         \xe2\x80\xa2   Privacy Impact Assessment                             instance, as a mitigating control, FEMA\n         \xe2\x80\xa2   E-Authentication                                      should immediately conduct an\n         \xe2\x80\xa2   Risk Assessment                                       assessment of key controls to identify\n         \xe2\x80\xa2   SSP                                                   security weaknesses and determine the\n         \xe2\x80\xa2   Contingency Plan                                      operational risks related to IFMIS G&T.\n         \xe2\x80\xa2   Security Test and Evaluation                          The weaknesses identified should be\n         \xe2\x80\xa2   Contingency Plan Testing                              documented with plans for accelerated\n         \xe2\x80\xa2   Security Assessment Report                            remediation efforts or related risks should\n         \xe2\x80\xa2   ATO                                                   be formally accepted by FEMA in\n         \xe2\x80\xa2   Annual NIST SP 800-53-based Self-                     accordance with DHS guidance.\n             Assessments\n         In addition, we determined that at the time of our\n         test procedures, neither an ISSO nor a DAA had\n         been formally designated for the G&T instance of\n         IFMIS by FEMA management.\n\nFEMA-    We reviewed the VPN Rules of Behavior for            \xe2\x80\xa2    Revise and implement policies and              X                     3\nIT-09-   Users Behind Corporate Firewalls, dated                   procedures for documenting, reviewing,\n  62     December 5, 2002, and noted that individual               and approving individual VPN user\n         VPN access request forms are required to be               accounts for employees of external\n         completed, approved by managers, and submitted            entities requiring access to the FEMA\n         to the National Help Desk, Enterprise Service             network via VPN access and ensure that\n         Desk (ESD). However, we noted that the                    sufficient resources are dedicated to\n         requirements do not include approval by the               appropriately authorizing accounts on\n         system owner or a designated representative, as           behalf of the system owner or a designee,\n         required by DHS policy.                                   according to FEMA and DHS policy.\n         We reviewed a blank VPN Access Request Form          \xe2\x80\xa2    Develop and implement policies and\n         and noted that an approval block titled \xe2\x80\x9cFor              procedures in accordance with DHS\n\n                                                                  72\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                    Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New     Repeat        Risk\nNFR #                       Condition                                    Recommendation\n                                                                                                            Issue    Issue       Rating\n        FEMA Office of Cyber Security (OCS) Use                policy to perform a periodic\n        Only\xe2\x80\x9d is included and that the form states that all    recertification of all VPN user access and\n        VPN requests must be approved by the FEMA              retain auditable records as evidence that\n        OCS. We reviewed a selection of 25 completed           recertifications are conducted and\n        forms for active VPN user accounts and                 completed periodically.\n        determined that, while the forms were approved\n        by the requestor\xe2\x80\x99s manager or supervisor, none of\n        the forms had an approval noted by OCS or an\n        appropriate designated representative of the\n        system owner. Additionally, we were informed\n        by FEMA IT security personnel that OCS, as\n        referred to in the Rules of Behavior and the\n        request form, does not currently exist as a FEMA\n        Division due to FEMA\xe2\x80\x99s reorganization.\n        Consequently, existing policies and procedures\n        do not reflect the current security management\n        structure at FEMA nor do they assign\n        responsibility to a current entity within the\n        agency.\n        Additionally, we were informed that a periodic\n        recertification of FEMA VPN access accounts is\n        not currently performed to ensure that remote\n        access is still necessary and appropriate for each\n        individual. VPN accounts are managed within\n        the FEMA LAN, specifically the Active\n        Directory environment, and subsequently added\n        to the Cisco Access Control Server (ACS) that\n        permits VPN access. However, through test\n        work conducted over the FEMA LAN, we\n        determined that a recertification of network user\n        accounts is not performed.\n\n\n                                                              73\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                                 Issue    Issue       Rating\nFEMA-    We noted the following weaknesses in the             \xe2\x80\xa2    Revise and implement policies and               X                    3\nIT-09-   process for authorizing remote VPN access to              procedures for documenting, reviewing,\n  63     external organizations, including state emergency         and approving the security controls in\n         management agencies and FEMA contractors:                 place over non-DHS equipment\n                                                                   connecting to the FEMA network via\n         \xe2\x80\xa2   The existing documentation that defines the           VPN access. Specifically, FEMA should\n             process for granting and maintaining VPN              clearly define and document a formalized\n             access to the FEMA network does not include           process for the authorization, review, and\n             requirements for administering the site survey        maintenance of VPN access agreements\n             process, including requirements for the               between FEMA and external entities.\n             authorization of the sites surveys,                   Additionally, ensure that within the\n             recertification of site surveys, and the              policies and procedures, appropriate roles\n             security requirements associated with the             and responsibilities over the process are\n             various aspects of the process.                       defined to include authorizations by the\n         \xe2\x80\xa2   FEMA has not formally identified and                  Component CISO/ISSM to connect to\n             documented the roles and responsibilities             non-DHS equipment.\n             necessary within FEMA to properly authorize\n             and administer VPN access to individuals         \xe2\x80\xa2    Draft and formalize ISAs, MOUs, and\n             using non-DHS equipment to access the                 MOAs delineating security\n             FEMA network.                                         responsibilities by FEMA and external\n                                                                   organizations when connecting through\n         Additionally, we noted that the current process in        non-DHS equipment to the FEMA\n         place for granting remote access to the FEMA              network via VPN access. Such\n         network through VPN is not in compliance with             agreements should include evidence of\n         FEMA, DHS, and NIST guidance. Specifically,               validation by FEMA management that\n         we noted the following weaknesses:                        security controls in place on external\n         \xe2\x80\xa2   Access for state emergency management                 entity networks are appropriate and satisfy\n             agencies and FEMA contractors to load the             requirements for minimum security\n             VPN client onto state or contractor owned             controls on DHS and FEMA systems\n             equipment to connect to the FEMA LAN is               prior to connection.\n             approved by the SOC. However, DHS policy         \xe2\x80\xa2    Ensure that agreements related to VPN\n             requires that any non-DHS equipment                   access are reviewed and recertified on a\n\n\n                                                                  74\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                         Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                                 Issue    Issue       Rating\n            connecting to a DHS network must be                    periodic basis, specifically, when a major\n            authorized by the Component CISO/ISSM.                 system change occurs or every three\n        \xe2\x80\xa2   Two-factor authentication is not used for              years, in accordance with DHS policy.\n            VPN access, as required by DHS policy.\n                                                              \xe2\x80\xa2    Implement and require two-factor\n        \xe2\x80\xa2   FEMA\xe2\x80\x99s VPN Rules of Behavior for Users                 authentication for all remote access to the\n            Behind Corporate Firewalls, dated December             FEMA network, including VPN and all\n            5, 2002, requires an Inter-Agency VPN                  other tools used for remote access, in\n            Agreement between FEMA and external                    accordance with DHS policy and FIPS\n            organizations before permitting VPN access             140-2.\n            to the FEMA network through non-\n            Government issued equipment such as\n            contractor or state agency workstations.\n            However, we determined that the Inter-\n            Agency VPN Agreements have not been\n            documented and that this requirement is\n            inconsistent with DHS policy, which requires\n            ISAs or Memoranda of\n            Understanding/Memoranda of Agreement\n            (MOUs/MOAs) prior to establishing a VPN\n            connection from equipment operating on an\n            external network.\n        \xe2\x80\xa2   FEMA\xe2\x80\x99s approval of requests for network\n            connections to external organizations through\n            VPN access for remote users is based on\n            security control information submitted by the\n            external entities via site surveys. Based upon\n            our review of existing site surveys and the\n            site survey process, we noted that site surveys\n            were outdated, did not contain the level of\n            technical granularity describing the external\n            network security controls required to\n            appropriately approve a connection to the\n\n                                                                  75\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                                Issue    Issue       Rating\n            FEMA LAN, and were not independently\n            verified for accuracy by FEMA.\n            Additionally, we determined that DHS\n            guidance indicates that a single ISA may be\n            used for multiple connections provided that\n            the security accreditation is the same for all\n            connections covered by that ISA. However,\n            we determined that the security accreditation\n            of multiple connecting networks listed in\n            single ISAs with external entities is not being\n            evaluated by the FEMA SOC to ensure the\n            security requirements are appropriately\n            implemented.\n\nFEMA-    The Core IFMIS database is not configured to         \xe2\x80\xa2    Configure the Core IFMIS Oracle               X                     2\nIT-09-   retain a history of account passwords in order to         database to enforce DHS policy\n  64     prevent reuse. However, DHS guidance requires             requirements regarding the reuse of user\n         passwords to be configured so that users cannot           passwords.\n         reuse the last eight passwords.\n                                                              \xe2\x80\xa2    Develop and implement procedures to\n                                                                   ensure that those with systems\n                                                                   administration and security\n                                                                   responsibilities over the Core IFMIS\n                                                                   database environment are made aware of\n                                                                   DHS, FEMA and Federal system security\n                                                                   requirements and guidance and are\n                                                                   properly trained in those requirements and\n                                                                   guidance.\nFEMA-    We determined that of 40 access request forms        We recommend that FEMA review and revise           X                     3\nIT-09-   (Form 20-24) for active G&T IFMIS application        the Office of the Chief Financial Officer\xe2\x80\x99s\n  65     users selected:                                      existing Procedures for Granting Access to\n                                                              IFMIS to specifically require the authorization\n\n                                                                  76\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                       Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                               Issue    Issue       Rating\n         \xe2\x80\xa2   FEMA was unable to provide documented           of new and modified G&T IFMIS user\n             evidence that the initial account creation of   accounts by supervisors, program managers,\n             11 accounts in FY2009 were authorized; and      and/or contracting officers\xe2\x80\x99 technical\n         \xe2\x80\xa2   FEMA was unable to provide documented           representatives for the G&T IFMIS\n             evidence that modifications to account          application and database in accordance with\n             privileges for 11 accounts were authorized.     DHS guidance. The requirements should also\n                                                             include retention guidance for G&T IFMIS\n         Additionally, we requested for review a selection   access authorization documentation.\n         of eight G&T IFMIS Oracle Database User\n         Access Control Forms for G&T IFMIS Oracle\n         database users whose accounts were created\n         during the fiscal year. We determined that of the\n         eight users selected, two did not have\n         documented evidence that the accounts were\n         authorized or appropriately approved prior to\n         creation.\nFEMA-    Based on observations conducted with IT             \xe2\x80\xa2    Configure all NEMIS Oracle databases to       X                     3\nIT-09-   Enterprise Operations database personnel over            enforce the DHS policy for passwords and\n  66     the four databases selected for test work that           authenticator control requirements,\n         process NEMIS financial data, we determined              including expiration, reuse, and length\n         that DBA account passwords are not required to           and complexity.\n         be \xe2\x80\x9cstrong passwords.\xe2\x80\x9d Specifically:\n                                                             \xe2\x80\xa2    Develop and implement procedures to\n         \xe2\x80\xa2   No minimum password length is enforced.              ensure that those with systems\n         \xe2\x80\xa2   Password complexity is not required so that          administration and security\n             passwords include a combination of                   responsibilities over the NEMIS database\n             upper/lowercase letters, numbers, and special        environment are made aware of DHS,\n             characters.                                          FEMA and Federal requirements and\n         \xe2\x80\xa2   Reuse of previous passwords is not                   guidance and are properly trained in those\n             prohibited.                                          requirements and guidance.\n         \xe2\x80\xa2   Passwords are not configured to expire and\n             forced to be changed after a predetermined\n\n\n                                                                 77\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                        Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                         Condition                                      Recommendation\n                                                                                                                Issue    Issue       Rating\n            length of time.\n\n\nFEMA-    Based on observations conducted over the FEMA        Implement the plan to configure the FEMA           X                     2\nIT-09-   domain policy and an end-user workstation, we        LAN domain security policy to automatically\n  67     determined that workstations are configured to       activate a password-protected screensaver on\n         activate a password-protected screensaver after      end-user workstations after five minutes of\n         15 minutes of inactivity, rather than the five       inactivity, consistent with DHS policy.\n         minute inactivity threshold required by DHS\n         policy.\nFEMA-    We determined that a C&A of PARS was not             \xe2\x80\xa2    Formally designate an ISSO and DAA for        X                     3\nIT-09-   performed and the system had not received an              PARS.\n  68     ATO. Specifically, no evidence exists to support\n         that the required C&A elements have been             \xe2\x80\xa2    Immediately work with FEMA\xe2\x80\x99s Chief\n         completed, documented, or approved for PARS.              Information Security Office to certify and\n                                                                   accredit PARS in accordance with\n         In addition, we determined that at the time of our        applicable DHS policies and Federal\n         test procedures, neither an ISSO nor a DAA had            guidance.\n         been formally designated by FEMA management\n         for PARS.\nFEMA-    Upon inspection of the NFIP Technical Services       Ensure implementation of an updated version        X                     2\nIT-09-   Department Production Systems Control Unit           of the current TRRP configuration\n  69     Procedures, that addresses TRRP configuration        management procedures that comprehensively\n         management, we noted that the procedures             addresses FEMA and DHS requirements. The\n         outline steps for controlling changes during the     updated procedures should require initial\n         change control process for TRRP. However, the        approvals of OSRs and establish a process for\n         procedures do not include a comprehensive            obtaining CCB and TRC approvals prior to\n         configuration management guidance that               implementing changes into production, in\n         addresses the required elements for a                accordance with DHS policies and\n         comprehensive configuration management plan          procedures.\n         in accordance with FEMA and DHS policy.\n\n\n                                                                  78\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                      Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                              New     Repeat        Risk\nNFR #                        Condition                                      Recommendation\n                                                                                                              Issue    Issue       Rating\n         Furthermore, we performed testwork over initial\n         approval, testing, and implementation of a\n         selection of 25 TRRP changes made in FY 2009\n         and noted the following exceptions:\n         \xe2\x80\xa2   16 out of the 25 changes did not obtain initial\n             OSR approvals prior to developing the\n             change.\n         \xc2\x83 All 25 changes did not obtain TRC or CCB\n             approval for production implementation\n             approval.\nFEMA-    We were informed by the NFIP contractors, that        Document, finalize, and implement               X                     2\nIT-09-   no patch management policy and procedures             comprehensive patch management policies\n  70     exist for the Windows operating system which          and procedures for the NFIP LAN and the\n         supports the Traverse application and the NFIP        Traverse operating system, in accordance\n         LAN.                                                  with DHS policy. Additionally, NFIP should\n                                                               ensure that this procedure includes\n         Additionally, we determined that while NFIP has\n                                                               requirements for authorizing, testing, and\n         documented the Traverse System Software\n                                                               approving patches to be implemented into\n         Procedures which outline the process to initiate,\n                                                               production and responding to DHS SOC and\n         approve, test, and implement operating system\n                                                               DHS CSIRC notifications to ensure\n         upgrades into production, the procedures do not\n                                                               compliance with the timely implementation of\n         specifically address patch management.\n                                                               required patches.\n         Furthermore, the procedures do not provide\n         robust guidance for approving, installing, and\n         testing patches, according to DHS requirements.\n\n\n\n\n                                                                 79\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                       Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                               Issue    Issue       Rating\nFEMA-    During our after-hours physical testing, we          We recommend that appropriate FEMA                 X                    2\nIT-09-   identified 42 written unprotected passwords, four    management review the effectiveness of\n  71     external memory drives, two documents labeled        existing security awareness programs\n         as \xe2\x80\x98For Official Use Only (FOUO)\xe2\x80\x99, two badges,       designed to protect electronic and physical\n         two instances of unsecured Personally                data and ensure that individuals are\n         Identifiable Information (PII), one instance of a    adequately instructed and reminded of their\n         written server name with an Internet Protocol (IP)   roles in the protection of both electronic and\n         address, and one unsecured laptop.                   physical FEMA data and hardware.\n                                                              Additionally, FEMA employees and\n                                                              contractors should be made aware of the need\n                                                              to protect PII, as well as information marked\n                                                              \xe2\x80\x9cFOUO.\xe2\x80\x9d\nFEMA-    Through discussions with FSS personnel, we           \xe2\x80\xa2    Submit a revised DHS Waivers and             X                     3\nIT-09-   determined that the description of mitigating and         Exceptions Request Form that accurately\n  72     compensating controls noted in the approved               reflects the mitigating and compensating\n         DHS Waivers and Exceptions Request for Core               controls in place on the Core IFMIS\n         IFMIS does not accurately reflect the operating           environment to justify exception from\n         environment for the Core IFMIS application and            DHS policy concerning audit logging on\n         database. Specifically:                                   the Core IFMIS database.\n         \xe2\x80\xa2   Successful database connections are not          \xe2\x80\xa2    Ensure that future waiver and exception\n             logged, as described.                                 requests involve the input, review, and\n         \xe2\x80\xa2   Superuser activity is monitored at the                approval of system owners and\n             application level. However, no other audit            administrators to provide adequate\n             logs or records described in the request are          assurance that the documented risk\n             reviewed.                                             mitigation strategies accurately reflect\n         \xe2\x80\xa2   The exception request states that \xe2\x80\x9cdirect             security controls in place.\n             access to the IFMIS database is restricted to\n                                                              \xe2\x80\xa2    Ensure that FEMA establishes a more\n             approximately 70 users, and is read-only in\n                                                                   formal communication process for\n             nature for the purposes of running\n                                                                   providing approved waivers back to\n             ClearAccess report functions\xe2\x80\x9d, however\n                                                                   system owners so that any requirements\n             direct access to the database includes DBAs\n\n                                                                  80\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                             Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                     New     Repeat        Risk\nNFR #                      Condition                                   Recommendation\n                                                                                                     Issue    Issue       Rating\n            with read/write privileges in addition to         for the implementation of additional\n            ClearAccess read-only users.                      controls are reviewed and executed\n        \xe2\x80\xa2   Approval was granted by the DHS CISO with         appropriately and timely.\n            an added condition that FEMA periodically\n            capture the audit records at a database level\n            and compare them to the application logs to\n            ensure that data is correct at the application\n            level. However, the requirement had not\n            been implemented at the time of our FY 2009\n            audit procedures.\n        Consequently, we concluded that the request for\n        an exception to DHS policy requirements related\n        to audit logging for the Core IFMIS Oracle\n        database was approved by the DHS CISO based\n        on inconsistent or inaccurate information about\n        the system environment and current controls in\n        place to mitigate the risk of not implementing\n        DHS policy. Additionally, the DHS CISO\xe2\x80\x99s\n        condition for granting approval has not been met\n        by FEMA.\n\n\n\n\n                                                             81\n                   Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                                 Issue    Issue       Rating\nFEMA-    Based on observations conducted with FEMA IT         \xe2\x80\xa2    FEMA should develop and implement               X                    3\nIT-09-   security personnel and IFMIS UNIX system                  policies and procedures over the\n  73     administrators, we determined that the \xe2\x80\x9croot\xe2\x80\x9d             monitoring of system administrator and\n         account access is not properly restricted and             highly-privileged account activity in the\n         system administrator activities are not                   Core and G&T IFMIS UNIX\n         appropriately logged. Specifically, the password          environments, in accordance with FEMA\n         to access the UNIX \xe2\x80\x9croot\xe2\x80\x9d administrator account           and DHS policy.\n         is shared between the administrators and local\n         access to the root account is not locked down.       \xe2\x80\xa2    Implement technical controls to restrict\n         Additionally, FEMA has not enforced the use of            access to the \xe2\x80\x9croot\xe2\x80\x9d account through the\n         the switch user command, \xe2\x80\x9csudo,\xe2\x80\x9d which requires           use of \xe2\x80\x9csudo\xe2\x80\x9d to ensure that explicitly\n         system administrators to login with their userID          authorized individuals only have access to\n         and switch over to the root account to ensure who         the account.\n         is accessing the account is logged and authorized.   \xe2\x80\xa2    Ensure that system logs and records of\n         Additionally, we determined that system logs and          administrator activity, including \xe2\x80\x9csudo\xe2\x80\x9d\n         reports of administrator activity, including the          activity related to the \xe2\x80\x9croot\xe2\x80\x9d account, are\n         \xe2\x80\x9csudo\xe2\x80\x9d log, which monitors actions performed by           retained and reviewed by IT security\n         administrators while acting as the \xe2\x80\x9croot\xe2\x80\x9d account,        management independent of the system\n         were not reviewed by FEMA management                      administration team.\n         personnel independent of the system\n         administration staff.\nFEMA-    FEMA\'s systems inventory does not include all        Update the FEMA system inventory to                 X                     3\nIT-09-   financial systems. Specifically, G&T FMIS and        include the G&T instance of IFMIS, as well\n  74     PARS were not included in the inventory              as PARS. FEMA should comply with DHS\n         provided to us during the audit by FEMA and          policy and consistently follow procedures for\n         neither system is being tracked via the Trusted      updating and monitoring their FISMA system\n         Agent Federal Information Security Management        inventory to ensure that all new and current\n         Act.                                                 systems are accounted for with complete and\n                                                              accurate information, in accordance with\n                                                              NIST and DHS policy.\n\n\n\n                                                                  82\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                       Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                        Condition                                      Recommendation\n                                                                                                               Issue    Issue       Rating\nFEMA-    During the audit, we determined that review of        Document defined and repeatable procedures        X                    1\nIT-09-   access to the NFIP data center is performed on an     for the review of physical access to the NFIP\n  75     ad-hoc basis. However, there are no policies or       data center in accordance with DHS and NIST\n         procedures that require periodic and documented       guidance. These procedures should, at a\n         re-certification of data center access at a defined   minimum, define the frequency of this review\n         frequency.                                            and what documentation should be\n                                                               maintained as evidence of that review.\nFEMA-    Based on testwork performed and inquiries             Establish a formal process for granting          X                     3\nIT-09-   conducted with FSS and Core IFMIS database            emergency and temporary Core IFMIS\n  76     personnel, we determined that emergency and           database access that includes segregation of\n         temporary access to the database, including           duties considerations and appropriate\n         access for contractor development personnel, is       approval from FEMA management in\n         approved by the FSS Chief and/or their staff,         accordance with DHS policy.\n         rather than by the FEMA Chief Information\n         Security Officer (CISO)/Information System\n         Security Manager (ISSM) or a designee, as\n         required by DHS policy. Additionally, we\n         determined that the Core IFMIS Oracle database\n         access granted to contracted development\n         personnel to implement database changes to Core\n         IFMIS conflicts with segregation of duties\n         principles.\n\nFEMA-    FEMA OCFO and NFIP financial systems                  We recommend that FEMA management                X                     2\nIT-09-   development and acquisition projects were             define and implement formal and repeatable\n  77     undertaken and progressed without (1) proper          processes to ensure that financial systems\n         oversight of and direction to contractors, (2)        development and acquisition projects are\n         development and approval of required project          conducted in compliance with DHS SELC\n         documentation, (3) the continual involvement of       and acquisition requirements as well as\n         the OCIO to ensure appropriate consideration and      Federal guidance. The processes should\n         integration of IT security, and (4) the joint         include, but are not limited to, formal\n\n\n                                                                 83\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                        Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                        Condition                                      Recommendation\n                                                                                                                Issue    Issue       Rating\n         communication and decision-making of FEMA            approval of required project documentation,\n         OCFO, OCIO, and NFIP management.                     sufficient contractor oversight, definitions of\n                                                              project roles and responsibilities so that\n                                                              decision making includes the appropriate\n                                                              involvement of all stakeholders and relevant\n                                                              FEMA management, establishment of\n                                                              Acquisition Decision Events at each SELC\n                                                              phase, and integration of IT security\n                                                              considerations throughout all project phases.\n\nFEMA-    Based on our testwork, we concluded that             \xe2\x80\xa2    Document and implement a                      X                     3\nIT-09-   NEMIS configuration management is not                     comprehensive configuration management\n  78     adequately controlled, documented, or managed             plan for NEMIS which clearly defines the\n         throughout the lifecycle of the FEMA                      roles and responsibilities for FEMA and\n         configuration management process. Specifically,           contractor personnel managing the\n         we identified the following weaknesses:                   development of non-emergency and\n                                                                   emergency system changes, in compliance\n         \xe2\x80\xa2   NEMIS configuration management policy\n                                                                   with DHS and FEMA requirements.\n             and procedures which outline FEMA\xe2\x80\x99s\n             responsibilities and processes for initiating,   \xe2\x80\xa2    Ensure that NEMIS non-emergency and\n             monitoring, testing, and approving NEMIS              emergency system changes are tracked,\n             non-emergency and emergency changes that              controlled, properly documented, and\n             are developed under the new development               managed by FEMA personnel throughout\n             contract have not been documented and                 the lifecycle of the configuration\n             approved by FEMA management, in                       management process in accordance with\n             accordance with DHS and FEMA policy.                  DHS and FEMA guidance and policies.\n         \xe2\x80\xa2   Once the new systems development\n             contractor delivers developed changes to\n             FEMA, FEMA does not monitor and track\n             NEMIS SCRs throughout the configuration\n             management lifecycle, from initial approval\n             through implementation into the production\n\n\n                                                                  84\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                       Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                               Issue    Issue       Rating\n             environment. Instead, FEMA only tracks and\n             collects documentation for SCRs from\n             Project Managers at the final approval stage\n             when the request is received by the TRC.\nFEMA-    Based on observations conducted over the FEMA       \xe2\x80\xa2    Configure the FEMA LAN and AD                 X                     3\nIT-09-   LAN and the Microsoft Windows Active                     account policies to require strong\n  79     Directory (AD) environment, we concluded that            passwords, in accordance with DHS\n         the following weaknesses exist:                          policy.\n         \xe2\x80\xa2   The FEMA LAN domain security policy does        \xe2\x80\xa2    Finalize and fully implement the Non-\n             not enforce password requirements in                 User Specific, Shared, Other Group Type\n             accordance with DHS policy.                          Accounts SOP. Specifically, FEMA\n         \xe2\x80\xa2   Policies and procedures over the                     should ensure that policies and procedures\n             authorization of FEMA LAN accounts,                  over the granting and managing of access\n             independent of NACS approval process                 for group/shared/service and\n             outlined in the Non-User Specific, Shared,           administrator-level user accounts not\n             Other Group Type Accounts SOP, have not              authorized through NACS are\n             been finalized or implemented. Additionally,         documented and implemented\n             we determined that initial access                    consistently. Additionally, policies and\n             authorizations for a selection of AD accounts        procedures should ensure that, in\n             were not authorized.                                 accordance with DHS policy, a clear\n         \xe2\x80\xa2   A periodic recertification of FEMA LAN               business need is established and\n             access accounts is not currently performed to        documented justifying the creation and\n             ensure that access is still necessary and            use of these types of accounts.\n             appropriate for each individual.\n                                                             \xe2\x80\xa2    Develop and implement a formal process\n         \xe2\x80\xa2   We compared a listing of active FEMA                 for performing a periodic recertification\n             LAN/AD accounts against a list of FEMA               of user access to the FEMA LAN which\n             employee separations that had occurred since         defines requirements and addresses users\n             October 1, 2008. Based on our test work, we          not accounted for during the planned\n             determined that 36 accounts remained active          recertification of NEMIS application\n             and unlocked after the account holder\xe2\x80\x99s              access.\n             separation from FEMA.\n\n\n                                                                 85\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                 New     Repeat        Risk\nNFR #                        Condition                                       Recommendation\n                                                                                                                 Issue    Issue       Rating\n                                                               \xe2\x80\xa2    Evaluate and, if appropriate, revise\n                                                                    existing procedures over removal of\n                                                                    separated user access to ensure that all\n                                                                    separated users on the FEMA LAN are\n                                                                    removed in a timely manner. Ensure that\n                                                                    procedures and processes are\n                                                                    implemented consistently to remove\n                                                                    network accounts for all separated users\n                                                                    immediately upon notification of\n                                                                    separation, in accordance with FEMA,\n                                                                    DHS, and NIST guidance.\nFEMA-    NFIP has not developed and implemented formal         \xe2\x80\xa2    Develop and implement formal                  X                     2\nIT-09-   procedures that outline the process for                    procedures that outline the internal scan\n  80     conducting internal scans for the NFIP LAN and             processes and requirements. These\n         for assessing, reporting, and correcting identified        procedures should include, at a minimum,\n         weaknesses. We also determined that                        the process for assessing, reporting, and\n         remediation of vulnerabilities identified during           correcting weaknesses identified during\n         internal scans of the NFIP LAN is not formally             scans. Additionally, ensure that the scope\n         tracked and monitored through the Plan of                  of vulnerability scans conducted include\n         Actions and Milestones (POA&M) Process in                  all workstations on the NFIP LAN.\n         accordance with DHS policy.\n                                                               \xe2\x80\xa2    With the involvement of both FEMA\n         While the NFIP contractor conducts internal                management and NFIP contractors,\n         vulnerability scans of the NFIP LAN on a                   implement procedures for formally\n         monthly basis, scanning of select workstations             tracking and monitoring the remediation\n         are presently excluded.                                    of vulnerabilities identified during the\n                                                                    internal scans of the NFIP LAN through\n                                                                    FEMA\xe2\x80\x99s POA&M process.\nFEMA-    FEMA does not have approved and finalized             \xe2\x80\xa2    Establish and formalize FEMA policies         X                     2\nIT-09-   procedures that establish formal requirements,             and procedures over the requirements,\n  81     processes, and responsibilities for performing             processes, and responsibilities for\n         regular vulnerability scans of Core and G&T                performing periodic vulnerability scans\n\n                                                                   86\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                       Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                               Issue    Issue       Rating\n         IFMIS.                                                   for Core and G&T IFMIS instances, in\n                                                                  accordance with DHS guidance.\n         FEMA also provided us with documented\n         evidence of a G&T IFMIS internal vulnerability      \xe2\x80\xa2    Ensure that vulnerability assessment scans\n         scan that was performed on July 17, 2009.                are performed for G&T IFMIS and that\n         However, we noted that the scan was scheduled            weaknesses identified are formally\n         and performed after our initial request for audit        reported and tracked for remediation\n         documentation. Additionally, FEMA was unable             through the DHS POA&M process, as\n         to provide us with any evidence that prior scans         required by DHS guidance.\n         of G&T IFMIS had been performed or scheduled\n         since the system was brought online in FY 2007.\nFEMA-    Upon inspection of the FEMA SOP for installing      Document, finalize, and implement                  X                     2\nIT-09-   UNIX patches to the Core and G&T IFMIS              comprehensive patch management policies\n  82     instances, we noted that it does not outline the    and procedures for Core and G&T IFMIS, in\n         process for defining a timeline for implementing    accordance with DHS policy. Policies and\n         non-emergency and emergency patches or for          procedures should include requirements for\n         authorizing, testing, and approving patches for     responding to DHS SOC and DHS Computer\n         implementation, in accordance with DHS              Security Incident Response Center\n         guidance.                                           notifications to ensure the timely\n                                                             implementation of required patches and\n         Furthermore, FEMA IT personnel informed us\n                                                             retention of testing documentation.\n         that documented test results of UNIX patches are\n         not retained by IT personnel after testing is\n         completed.\nFEMA-    We were informed by FEMA IT System               \xe2\x80\xa2       Develop and implement a formalized a          X                     3\nIT-09-   Integrations that NEMIS\xe2\x80\x99 program directories for         process and procedures for restricting and\n  83     the TDL environment, where all User Acceptance           monitoring access over the NEMIS\n         Testing (UAT) occurs, and the NEMIS                      production directories to ensure that the\n         production environment where the code changes            principles of least privilege and\n         are implemented, are located on one server.              segregation of duties are enforced, in\n         Upon review of the processes for restricting             accordance with DHS guidance. The\n         access to these directories, we noted the                process should include requirements over\n\n\n                                                                 87\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                        Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                        Recommendation\n                                                                                                                Issue    Issue       Rating\n         following weakness:                                       the monitoring of NEMIS system\n                                                                   directories to ensure that no changes have\n         \xe2\x80\xa2   Of the fifteen individuals with access to the         occurred after the approval of NEMIS\n             server, three accounts belonged to                    system changes has occurred.\n             development personnel who have write, read,\n             execute, and modify access to all of the         \xe2\x80\xa2    Limit the developers\xe2\x80\x99 access to the\n             server\xe2\x80\x99s directories, which allow unrestricted        NEMIS production directories to \xe2\x80\x9cread\n             access to both the production and                     only\xe2\x80\x9d and segregate the responsibility for\n             development environments for NEMIS.                   delivering application code changes into\n         \xe2\x80\xa2   FEMA does not lock down the code in their             the NEMIS directory server from the\n             server directory environment, giving all              contractor to an independent control\n             accounts unrestricted access to the NEMIS             group. If business need requires that the\n             TDL and production environment after the              segregation of duties cannot be\n             code has been approved for implementation.            immediately implemented, FEMA should\n             Additionally, while an ad-hoc review is               document policies and procedures to\n             performed over the directories to monitor the         compensate for the risk associated with\n             modification dates on the production code             the segregation of duties weakness noted,\n             directories, this process is not performed            in accordance with DHS guidance.\n             consistently or documented to mitigate the\n             risk of not locking down the directories.\n\nFEMA-    Based on testwork performed, we identified the       \xe2\x80\xa2    Perform documented periodic reviews of        X                     3\nIT-09-   following weaknesses in PARS database security            PARS database accounts and disable\n  84     controls:                                                 inactive accounts, in accordance with\n                                                                   DHS policy.\n         \xe2\x80\xa2    PARS database accounts are not reviewed to\n             identify accounts that have been inactive for    \xe2\x80\xa2    Configure PARS database accounts to\n             45 days or more, as required by DHS policy            adhere to DHS policy for passwords and\n             for high impact systems.                              authenticator controls, including\n         \xe2\x80\xa2    Strong passwords are not required and/or             expiration, reuse, and complexity.\n             enforced in accordance with DHS\n                                                              \xe2\x80\xa2    Configure the PARS databases to log\n             requirements.\n                                                                   events and conduct documented reviews\n         \xe2\x80\xa2    Database audit logs are not configured to\n\n                                                                  88\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                        Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                                Issue    Issue       Rating\n             capture auditable events, including failed            of audit logs, in accordance with FEMA\n             login attempts and administrator-level                and DHS policy.\n             actions.\n                                                              \xe2\x80\xa2    Further define and implement a formal\n         \xe2\x80\xa2   A periodic recertification of PARS database\n                                                                   process that documents requirements for\n             access accounts is not currently performed to\n                                                                   configuring, retaining, and reviewing\n             ensure that access is still necessary and\n                                                                   audit trails for the PARS database in\n             appropriate for each individual.\n                                                                   accordance with FEMA and DHS policy.\n         FEMA could not provide evidence that initial              Additionally, ensure that all DHS\n         PARS database granted to one of four users was            requirements are met through this process,\n         appropriately authorized and the individual was           including appropriate supervisory review\n         inappropriately approved for emergency database           and retention.\n         access by the FSS Chief, rather than the\n                                                              \xe2\x80\xa2    Further define and establish a formal\n         FEMACISO/ISSO/ISSM or designee, as required\n                                                                   process for granting initial access and\n         by DHS policy.\n                                                                   recertifying access specifically to the\n                                                                   PARS database that includes appropriate\n                                                                   approval from FEMA management and\n                                                                   requirements for temporary and\n                                                                   emergency access, in accordance with\n                                                                   DHS guidance.\nFEMA-    Based on observations conducted with the NFIP        No recommendation is required for this             X                     2\nIT-09-   IT contractor, we determined that while TRRP         weakness that existed for the majority of FY\n  85     system passwords were configured to enforce          2009 because it was remedied prior to the end\n         password complexity using alphabetic, numeric,       of the audit when the TRRP password settings\n         and special characters, the configurations did not   were reconfigured to enforce complexity\n         limit the use of dictionary words. Additionally,     requirements that exceed DHS requirements.\n         the password configuration did not prevent the\n         password from being any word, noun, or name\n         spelled backwards or appended with a single digit\n         or with a two-digit "year" string, in accordance\n         with DHS guidance.\n\n\n                                                                  89\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                       Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                      Recommendation\n                                                                                                               Issue    Issue       Rating\n\n\n\n\nFEMA-    We noted that the NFIP IT contractors use their    \xe2\x80\xa2    In accordance with policy, establish a         X                     2\nIT-09-   individually assigned system administrator              separate account for the third party\n  86     accounts to logon and create sessions to allow a        vendor\xe2\x80\x99s use to implement Traverse\n         third party development vendor to install               changes and limit use of the account so\n         Traverse system changes. Additionally, we               that\xe2\x80\x99s its activated on an as needed basis.\n         determined that NFIP does not have a formal\n         process for monitoring changes that the vendor     \xe2\x80\xa2    Establish and implement a formal process\n         makes in Traverse while logged in as an                 for monitoring and verifying\n         administrator.                                          configuration changes made by the vendor\n                                                                 in the Traverse environment, in\n                                                                 accordance with DHS policy.\n                                                                 Additionally, ensure that these procedures\n                                                                 include requirements for documentation\n                                                                 retention.\nFEMA-    Procedures for management of FEMA IT security      \xe2\x80\xa2    Develop, approve, and implement an SOP         X                     2\nIT-09-   incidents have not been developed, approved, and        for managing security incidents that\n  87     implemented, in accordance with FEMA and                clearly outlines roles and responsibilities\n         DHS requirements.                                       required to maintain a continuous incident\n         Additionally, our unannounced FY 2009                   response capability, as required by DHS\n         vulnerability assessment scanning activity was          and FEMA policy.\n         not detected and appropriately reported by         \xe2\x80\xa2    Provide training to all personnel with\n         FEMA IT personnel in accordance with DHS and            incident response roles and\n\n                                                                90\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                       Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                               New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                               Issue    Issue       Rating\n         FEMA policy.                                             responsibilities.\n\n\n\n\nFEMA-    During our FY 2009 audit testwork, we noted         \xe2\x80\xa2    Revise the TRRP access control policies       X                     2\nIT-09-   that NFIP had not formally established a process         and procedures to ensure that the creation\n  88     for authorizing, documenting the approval and            of service accounts are appropriately\n         business need for service accounts, and                  authorized and that a clear business need\n         recertifying service accounts on the TRRP                is established and documented justifying\n         system. As a result, authorization forms were not        the creation and use of these types of\n         on file for all service accounts and                     account in accordance with DHS policy.\n         recertifications of access are only conducted for\n         user accounts.                                      \xe2\x80\xa2    Ensure that policies and procedures over\n                                                                  TRRP access authorization include a\n                                                                  formalized process for the recertification\n                                                                  of service accounts on an annual basis in\n                                                                  accordance with DHS policy.\nFEMA-    FEMA did not adequately conducted suitability       \xe2\x80\xa2    Further define and refine processes to        X                     2\nIT-09-   investigations for FEMA federal employees in             ensure that background investigations for\n  89     accordance with DHS requirements and position            all types of federal employees are\n         designations associated with employees with              performed in accordance with DHS\n         elevated system privileges did not have                  directives.\n         appropriate position sensitivity designations.\n                                                             \xe2\x80\xa2    Reevaluate and assign the correct\n         We also determined that formal procedures were           position sensitivity levels to federal\n         not developed or implemented for conducting              employees with access to DHS\n         suitability screenings of contractors accessing          information systems in accordance with\n         DHS IT systems. Additionally, suitability                DHS policy.\n\n\n                                                                 91\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                           Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                   New     Repeat        Risk\nNFR #                        Condition                                        Recommendation\n                                                                                                                   Issue    Issue       Rating\n         investigations were not appropriately conducted      \xe2\x80\xa2     Implement procedures within FEMA\n         for contractors with access to multiple FEMA               Acquisitions, FEMA Personnel Security,\n         information systems holding sensitive IT security          and FEMA IT to ensure a more\n         positions and the contractors did not have                 centralized and coordinated process for\n         position sensitivity designations.                         tracking and completing background\n                                                                    investigations over contracting personnel\n                                                                    in accordance with DHS policy.\n                                                              \xe2\x80\xa2     Ensure that all systems owners formally\n                                                                    and correctly define the appropriate\n                                                                    suitability designation for contracting\n                                                                    personnel needing access to their\n                                                                    information systems in accordance with\n                                                                    DHS policy. Additionally, ensure that\n                                                                    position sensitivity designations\n                                                                    distinguish between various levels of\n                                                                    access and require the contractor to have\n                                                                    their suitability investigation completed\n                                                                    prior to being granted access.\nFEMA-    We determined that FEMA has certified the             \xe2\x80\xa2    Formally designate an ISSO and DAA for          X                     3\nIT-09-   FEMA Switch Network (FSN)-2 switch network                 the MD NPSC.\n  90     which is comprised of various FEMA LANs\n         across the regions and each LAN is classified as a \xe2\x80\xa2       Immediately conduct an assessment of\n         subsystem of the switch network. During our                key controls that help ensure\n         review of the C&A package, we noted that the               confidentiality and availability of data for\n         MD National Processing Service Center (NPSC)               security weaknesses and determine the\n         is considered to be a sub-system to the                    operational risk related to MD NPSC\n         overarching GSS FSN-2 and that the primary                 LAN supporting FEMA financial\n         servers for NEMIS, Core IFMIS, and G&T                     applications. Weaknesses identified\n         IFMIS financial applications reside on this                should be documented with plans for\n         portion of the LAN. However, the document                  accelerated remediation efforts or related\n         states that no current accreditation or certification      risks should be formally accepted by\n\n\n                                                                   92\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                        Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                New     Repeat        Risk\nNFR #                       Condition                                       Recommendation\n                                                                                                                Issue    Issue       Rating\n         letters could be found for that subsystem during          FEMA.\n         the certification and accreditation of the FSN-2\n         package. Specifically, there is no evidence in the   \xe2\x80\xa2    Review and revise the FSN-2 C&A\n         package that the required C&A elements have               package to reflect the current GSS\n         been completed/updated, documented, or                    environment in accordance with DHS and\n         approved for MD NPSC in accordance with DHS               Federal Guidance. Additionally, ensure\n         guidance.                                                 that the C&A Package has been\n                                                                   completed to include the required\n         We further noted that the C&A package states              artifacts, addresses the security controls\n         that C&A activities are to be completed for the           for the various subsystems and assigns\n         MD NPSC subsystem at a separate time and that             and updates the appropriate security roles\n         no security roles were defined for the MD NPSC            for each subsystem.\n         within the C&A. We inquired with FEMA\n         Information Technology (IT) Security and\n         management to determine the status for the MD\n         NPSC C&A package and were not provided with\n         any additional information as to the status of the\n         C&A package.\n         Additionally, upon further review of the C&A\n         package, we noted that both the MD NPSC and\n         the regional LANs are within scope of this\n         review as NEMIS has servers at multiple\n         regional sites. Furthermore, we determined that\n         management had not adequately completed the\n         C&A package over FSN-2 according to DHS\n         policy.\nFEMA-    FEMA does not have a formal process for              Document and implement procedures,                 X                     2\nIT-09-   adequately tracking FEMA contractors                 according to DHS guidelines and\n  91     throughout the on-boarding, termination, and         requirements, that track the on-boarding,\n         transfer processes. Furthermore, we noted that       transfer and separation of contractors. Ensure\n         the process established for notifying the FEMA       that the policies and procedures include:\n         OCIO of changes in contractor\'s status, so that\n\n                                                                  93\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                           Department of Homeland Security\n                                                                                                                     Appendix B\n                                        Information Technology Management Letter\n                                                   September 30, 2009\n\n                                                                                                             New     Repeat        Risk\nNFR #                      Condition                                     Recommendation\n                                                                                                             Issue    Issue       Rating\n        accounts can be disabled/removed or account\n        profiles can be appropriately modified in the\n                                                           \xe2\x80\xa2    The assignment of roles and\n                                                                responsibilities to appropriate FEMA\n        required timeframe, is not effective or                 management and stakeholders.\n        comprehensive. Specifically, there are no formal\n        requirements for COTRs to notify the OCIO of       \xe2\x80\xa2    Steps for notifying the FEMA OCIO that\n        separating contractors.                                 a contractor is separating or transferring\n                                                                so that the contractor will have their\n                                                                systems access removed or modified in a\n                                                                timely manner, in accordance with DHS\n                                                                policies.\n                                                           \xe2\x80\xa2     Regularly distribute a listing of\n                                                                terminated contract personnel to\n                                                                information system administrators so they\n                                                                can remove user access timely.\n\n\n\n\n                                                               94\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                      Department of Homeland Security                      Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n        \xc2\x83 Federal Law Enforcement Training Center\n\n\n\n\n\n                                     95 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                   Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                            Department of Homeland Security\n\n                                             FY2009 Information Technology\n\n\n\n\n                                                                                    \n\n                                 Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                \n\n                                      Federal Law Enforcement and Training Center\n\n\n\n\n                                                                                           \n\n                                                                                                           New      Repeat      Severity\nNFR #                        Condition                                     Recommendation\n                                                                                                           Issue     Issue       Rating\n         We determined that SOP 4250, which has been in        We recommend that FLETC enable audit                    X           2\n         effect for the entire fiscal year, was last updated   logging over all Momentum system software\n         on May 12, 2009 and that FLETC has developed          and ensure that logs are maintained and\n         a manual control for the installation of system       proactively reviewed by management.\n         software for Momentum. Specifically, logs of\n         file changes to the Momentum UNIX servers are\n         reviewed monthly. Therefore, this condition of\n         the prior weakness has been partially corrected.\nFLETC-\nIT-09- We also determined that FLETC is still in the\n03     process of implementing the Security Information\n       Management System (SIM) to compile audited\n       events of Oracle and other system software for\n       review by FLETC personnel. FLETC\n       management has confirmed that logs of Oracle\n       are not being reviewed to identify potential\n       anomalies or incidents. Due to the lack of audit\n       logging procedures around system software for\n       Momentum, this NFR will be reissued.\n\n\n\n\n                                                                 96\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                  Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                          New      Repeat      Severity\nNFR #                        Condition                                    Recommendation\n                                                                                                          Issue     Issue       Rating\n       We determined that FLETC has implemented              As FLETC has effectively put into place                  X           2\n       DHS\xe2\x80\x99s System Engineering Lifecycle (formally          procedures over the implementation of DHS\xe2\x80\x99\n       called SDLC) into their business processes, and       SELC effective April 2009, no\n       that it is promulgated to personnel involved in the   recommendation will be offered.\nFLETC- change management process. However, we\nIT-09- determined that implementation did not occur\n04     until April 2009. As a result, we will be reissuing\n       this NFR with no recommendation since the\n       condition has existed for a majority of the fiscal\n       year.\n\n       During the internal vulnerability assessment          Implement the corrective actions for the                X            2\n       efforts of FLETC\xe2\x80\x99s Glynco Administrative              recommendations listed within the NFR.\n       Network (GAN), Financial Accounting and\n       Budgeting System (FABS), and Student\n       Information System (SIS) systems we identified\n       several High/ Medium Risk vulnerabilities,\n       related to Configuration Management and\n       Password Management. We confirmed that\n       security configuration management weaknesses\nFLETC-\n       (i.e., default configuration settings, role and\nIT-09-\n       group policies, password policy, and user account\n26\n       management) continue to exist on hosts\n       supporting FLETC. The conditions are\n       exploitable as an insider without specific\n       knowledge of the operation of the system or the\n       applications hosted on that system. These\n       conditions can be found in the table within the\n       actual NFR.\n\n\n\n\n                                                               97\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                    Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                                                                                            New      Repeat      Severity\nNFR #                        Condition                                   Recommendation\n                                                                                                            Issue     Issue       Rating\n       We determined that in January 2009, FLETC            We recommend that FLETC, enforce their                      X           2\n       implemented a Standard Operating Procedure           own policies and procedures for the\n       (SOP) #60 titled, Monthly Review of Security         maintenance and periodic review of audit logs\n       and Approval logs, which requires management         for Momentum.\n       review and sign off. However, FLETC was\nFLETC-\n       unable to provide documentation supporting the\nIT-09-\n       management review of approval logs for April,\n31\n       May, June, and July. In addition, FLETC was\n       unable to provide evidence of management\n       review of the security violation logs for June and\n       July.\n\n       We determined that logs of auditable events in       We recommend that FLETC establishes and          X                      2\n       the LAN are not being reviewed to identify           implements procedures to document and\n       potential anomalies or incidents. FLETC is in the    review logs of auditable events in the LAN.\n       process of implementing SIM with the\nFLETC-\n       capabilities to manage logged auditable events\nIT-09-\n       for review by personnel. We determined that,\n33\n       while the SIM is being implemented, FLETC\n       does not have an alternative procedure for the\n       review of these logs.\n\n       We determined that access control weaknesses         We recommend that FLETC activate the logs        X                      2\n       existed over the Momentum access authorizations      for tracking the addition of new users and\nFLETC-\n       for user profiles created or modified during the     profile changes to Momentum.\nIT-09-\n       fiscal year. Specifically, we learned that profile\n34\n       creation and modification is not tracked and a\n       listing of events could not be provided.\n\n\n\n\n                                                              98\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                       Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                               New      Repeat      Severity\nNFR #                        Condition                                     Recommendation\n                                                                                                               Issue     Issue       Rating\n          We noted several weaknesses with logical access     We recommend that FLETC Management:                X                     2\n          controls related to GAN:\n                                                                \xe2\x80\xa2 Establish a process to ensure the GAN is\n            \xe2\x80\xa2 The GAN is configured to prohibit password          configured to meet minimum DHS\n              resuse for 6 generations, which does not meet       password configuration requirements.\n              the DHS standard of eight password\n              generations.                                      \xe2\x80\xa2 Remove all generic/shared accounts and\n                                                                  conduct period reviews of the user access\n            \xe2\x80\xa2 The GAN is configured to reset the account          lists to ensure compliance.\n              failed logon counter after 60 minutes, which\n              does not meet the DHS standard of 24 hours.       \xe2\x80\xa2 Establish and enforce procedures for the\nFLETC-                                                            completion and maintenance of user\nIT-09-\n            \xe2\x80\xa2 Several user IDs were identified having             access forms for the GAN.\n35\n              excessive access.\n                                                                \xe2\x80\xa2 Enforce procedures for the removal of\n            \xe2\x80\xa2 Supporting documentation for new user               transferred/terminated users within the\n              authorizations to the GAN could only be             GAN upon their separation from FLETC.\n              provided for ten users out of 25 sampled.\n                                                                \xe2\x80\xa2 Establish and implement policies and\n            \xe2\x80\xa2 Fourteen separated employees still had an           procedures for recertification of GAN\n              active user account to the GAN.                     user privileges.\n\n         \xe2\x80\xa2 Formalized procedures are not in place for\n           periodic reviews over GAN users.\n       During our after hours physical testing, we            We recommend that FLETC management                X                      2\n       identified 84 passwords, four For Official Use         implement processes to:\nFLETC- Only Violations , seven unsecured ID                     \xe2\x80\xa2 Ensure that users are trained and aware\nIT-09- badges/keys, 83 Personally Identifiable                    of safeguarding login credentials, locking\n36     Information violations, six unsecured laptops,             network sessions to DHS systems, and\n       two unsecured external drives, 12 unsecured                locking any sensitive information, media\n       credit cards, and four users logged into a system          containing sensitive information, or data\n\n\n                                                                99\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security\n                                                                                                                     Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                             New      Repeat      Severity\nNFR #                         Condition                                  Recommendation\n                                                                                                             Issue     Issue       Rating\n          without an active screen saver set.                    not suitable for public dissemination in\n                                                                 secure locations when not in use.\n                                                               \xe2\x80\xa2 Effectively limit access to DHS\n                                                                 buildings, rooms, work areas, spaces, and\n                                                                 structures housing IT systems,\n                                                                 equipment, and data to authorized\n                                                                 personnel.\n\n       During the FY 2009 financial statement audit, we We recommend that FLETC management:                   X                      2\n       noted several weaknesses with the logical access   \xe2\x80\xa2 Establish a process to ensure the SIS is\n       controls for the SIS. Specifically, we determined    configured to meet minimum DHS\n       the following:                                       password configuration requirements.\n         \xe2\x80\xa2 SIS is configured to have a password history   \xe2\x80\xa2 Adjust system configuration settings to\n            of two passwords stored that does not meet      lock out users after three invalid logon\n            the DHS 4300A requirement of eight              attempts as designated by DHS policies.\n            remembered passwords.                         \xe2\x80\xa2 Remove all generic/shared accounts and\n         \xe2\x80\xa2 SIS is configured to have a minimum              conduct periodic reviews of the user\n            password age of five days that does not meet    access lists to ensure compliance.\nFLETC-      DHS 4300A requirements of seven days.         \xe2\x80\xa2 Retain audit trail records in accordance\nIT-09-   \xe2\x80\xa2 SIS is not configured to reset the account       with DHS policies in order to support\n37          failed logon counter, which does not meet the   potential incidents within the system, and\n            DHS 4300A requirement of a reset every 24       for review of user privileges.\n            hours.                                        \xe2\x80\xa2 Activate tracking for the addition of new\n         \xe2\x80\xa2 Users were not locked out until after 6          users to SIS.\n            invalid attempts to access the application.\n         \xe2\x80\xa2 SIS system administrators share the \xe2\x80\x98root\xe2\x80\x99\n            username and password to perform\n            administrative responsibilities.\n         \xe2\x80\xa2 A sample of audit logs that track changes to\n            system data could not be provided.\n         \xe2\x80\xa2 Invalid user access attempts were not tracked\n\n\n                                                              100\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security\n                                                                                                                  Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                          New      Repeat      Severity\nNFR #                        Condition                                     Recommendation\n                                                                                                          Issue     Issue       Rating\n              and monitored until March 2009. Since this\n              weakness was corrected during the fiscal\n              year, no recommendation will be offered.\n            \xe2\x80\xa2 User profile creation is not tracked and a\n              listing of profile creation dates could not be\n              provided.\n            \xe2\x80\xa2 Evidence of periodic review of user accounts\n              could not be provided.\n\n       We determined that weak access controls exist           We recommend that management establish a    X                      2\n       over Momentum\xe2\x80\x99s system software. Specifically,          process to ensure FLETC systems are\nFLETC- we noted that the password configuration settings       configured to meet minimum DHS logical\nIT-09- for Linux, which supports Momentum, is set to           access configuration requirements.\n38     allow a user to attempt to logon six times before\n       the account is locked out.\n\n\n\n\n                                                                101\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                       Department of Homeland Security                     Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n          \xc2\x83 Immigration and Customs Enforcement\n\n\n\n\n\n                                     102 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security\n                                            Information Technology Management Letter                                   Appendix B\n                                                       September 30, 2009\n\n                                             Department of Homeland Security\n\n                                              FY2009 Information Technology\n\n\n\n\n                                                                                       \n\n                                  Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                    \n\n                                           Immigration and Customs Enforcement\n\n\n\n\n                                                                                           \n\n                                                                                                               New      Repeat      Severity\nNFR #                        Condition                                       Recommendation\n                                                                                                               Issue     Issue       Rating\nICE-IT-   We accessed ICE facilities located at the Tech       We recommend that ICE train physical              X                     2\n 09-11    World Building on 800 K Street and the PCN           security personnel to recognize DHS issued\n          Tower on 500 and 12th Street without the use of      identification or credentials and detect non-\n          DHS issued credentials. Moreover, we overtly         conforming credentials.\n          presented non-government issued identification\n          to building security and was then granted\n          physical access to the facilities.\n\nICE-IT-   Ineffective/non-compliant account lockout            The Enterprise Operations Division of the        X                      2\n 09-12    counter settings During the FY09 audit, KPMG         OCIO adjusted the lockout settings after they\n          inquired of ICE OCIO personnel about ADEX            were informed by us of the discrepancy. No\n          account settings, reviewed the account lockout       recommendation given.\n          settings, and inspected ICE\xe2\x80\x99s logical access\n          polices and found that the account lockout\n          settings for ADEX was not compliant with DHS\n          policy. DHS policy requires that the system is to\n          lock user accounts after three consecutive invalid\n          login attempts within a 24 hour period. However,\n          within ADEX, the number of invalid attempts to\n          access the system resets to zero after 30 minutes\n          if up to two invalid access attempts are made.\n          Therefore, several attempts can initiated as long\n          as the user waits 30 minutes before attempting\n          again.\n\n\n\n                                                                103\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security\n                                            Information Technology Management Letter                                    Appendix B\n                                                       September 30, 2009\n\n                                                                                                                New      Repeat      Severity\nNFR #                         Condition                                      Recommendation\n                                                                                                                Issue     Issue       Rating\nICE-IT-   We determined that the FFMS password settings         We recommend that ICE update the FFMS             X                     2\n 09-13    require the use of an underscore and does not         password configuration settings to be in\n          allow the use of any other special characters such    compliance with DHS 4300A policies.\n          as !, @, #, $, %, or *, which is not compliant with\n          DHS policy. The DHS policy requires that\n          passwords contain a combination of alphabetic,\n          numeric, and special characters.\n\nICE-IT-   We identified that the ADEX user recertification      We recommend that ICE management                 X                      2\n 09-14    process is not designed appropriately.                establish and implement policies and\n          Specifically, we noted a lack of formal policy and    procedures for recertification of ADEX user\n          procedure for managing the periodic review of         privileges. This process should include a\n          ADEX general user access. In addition, the            method to document user recertification and a\n          informal process contingent upon personnel\xe2\x80\x99s          process to maintain evidence of the reviews.\n          annual completion of the Information Assurance\n          Awareness Training (IAAT) as a mitigating\n          control for ensuring a review of users\xe2\x80\x99 access on\n          a periodic basis is insufficient.\n\nICE-IT-   We inquired of ICE OCIO personnel about the           We recommend that ICE management                 X                      2\n 09-15    process for recertifying FFMS user access             establish and implement policies and\n          (review of access privileges) and found that this     procedures for recertification of FFMS user\n          process is not formally documented.                   privileges. This process should include a\n          Furthermore, we identified that the review for the    method to document user recertification and a\n          access privileges for each FFMS account is not        process to maintain evidence of the reviews.\n          adequately recorded and no audit trail is available\n          to support that a recertification was completed.\n\nICE-IT-   We determined that weaknesses exist over ADEX         We recommend ICE management develop              X                      2\n 09-16    access. Specifically, we found that 14 users,         processes for the removal of\n          which were separated from ICE, still had active       transferred/terminated users within ADEX\n          ADEX accounts that were not removed upon              upon their separation.\n          their termination/transfer.\n                                                                 104\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                 Department of Homeland Security\n                                             Information Technology Management Letter                                  Appendix B\n                                                        September 30, 2009\n\n                                                                                                               New      Repeat      Severity\nNFR #                         Condition                                      Recommendation\n                                                                                                               Issue     Issue       Rating\n\n\n\n\nICE-IT-   We performed an inspection of a listing of FFMS       We recommend that ICE enforce policies and      X                      2\n 09-17    users and their assigned roles/responsibilities and   procedures to ensure that assigned roles and\n          determined that six users had Originator, Funds       responsibilities are commensurate with\n          Certification Official, and Approving Official        personnel job functions.\n          profiles that were in violation of FFMS\n          segregation of duties policies.\n\nICE-IT-   We identified that background reinvestigations        We recommend ICE management periodically        X                      2\n 09-18    are not conducted in a timely manner. We              review personnel files to confirm background\n          performed an inspection of a sample of ICE            reinvestigations have been completed in\n          personnel requiring reinvestigations during the       accordance with DHS standards.\n          fiscal year and of the 25 ICE employees sampled,\n          evidence of background reinvestigations during\n          FY 2009 could not be provided for 16\n          contractors.\n\nICE-IT-   We performed an inspection of a sample of             We recommend ICE management adhere to           X                      2\n 09-19    personnel that had terminated/transferred from        exit clearance procedures and require\n          their employment with ICE during the fiscal year.     personnel to follow them in the event of\n          We requested evidence that exit clearance forms       transfer/termination.\n          were completed for each employee to determine\n          ICE management\xe2\x80\x99s compliance with exit\n          clearance procedures. Of the 25\n          terminated/transferred ICE personnel sampled,\n          evidence of compliance with exit clearance\n          procedures could not be provided for 12\n          employees.\n\n                                                                 105\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security\n                                            Information Technology Management Letter                                      Appendix B\n                                                       September 30, 2009\n\n                                                                                                                  New      Repeat      Severity\nNFR #                        Condition                                      Recommendation\n                                                                                                                  Issue     Issue       Rating\nICE-IT-   We determined that ICE lacks policies and           We recommend that ICE management                      X                     2\n 09-20    procedures requiring completion of a training       implement mandatory requirements for IT\n          program by personnel in IT security positions.      security personnel to complete training\n                                                              consistent with their job function duties.\n\nICE-IT-   During the internal vulnerability assessment        In addition to addressing the specific               X                      2\n 09-21    efforts of ICE\xe2\x80\x99s network servers and systems we     vulnerabilities identified in the condition, ICE\n          identified several High/ Medium Risk                should:\n          vulnerabilities, related to configuration            \xe2\x80\xa2 Redistribute procedures and train\n          management. We determined that security                  employees on continuously monitoring\n          configuration management weaknesses (i.e.,               and mitigating vulnerabilities. In\n          missing security patches and incorrect                   addition, we recommend that ICE\n          configuration settings) exist on hosts supporting        periodically monitor the existence of\n          the ICE.                                                 unnecessary services and protocols\n                                                                   running on their servers and network\n                                                                   devices, in addition to deploying patches.\n                                                               \xe2\x80\xa2 Perform vulnerability assessments and\n                                                                   penetration tests on all offices of the ICE,\n                                                                   from a centrally managed location with a\n                                                                   standardized reporting mechanism that\n                                                                   allows for trending, on a regularly\n                                                                   scheduled basis in accordance with NIST\n                                                                   guidance.\n                                                               \xe2\x80\xa2 Develop a more thorough approach to\n                                                                   track and mitigate configuration\n                                                                   management vulnerabilities identified\n                                                                   during monthly scans. ICE should\n                                                                   monitor the vulnerability reports for\n                                                                   necessary or required configuration\n                                                                   changes to their environment.\n                                                               \xe2\x80\xa2 Develop a process to verify that systems\n                                                                   identified with \xe2\x80\x9cHIGH/MEDUIM Risk\xe2\x80\x9d\n                                                                   configuration vulnerabilities do not\n                                                               106\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security\n                                           Information Technology Management Letter                                     Appendix B\n                                                      September 30, 2009\n\n                                                                                                                New      Repeat      Severity\nNFR #                        Condition                                     Recommendation\n                                                                                                                Issue     Issue       Rating\n                                                                  appear on subsequent monthly\n                                                                  vulnerability scan reports, unless they are\n                                                                  verified and documented as a false-\n                                                                  positive. All risks identified during the\n                                                                  monthly scans should be mitigated\n                                                                  immediately, and not be allowed to\n                                                                  remain dormant.\n\nICE-IT-   During our after hours physical testing, we         KPMG recommends that ICE management                X                      2\n 09-22    identified 26 passwords, four For Official Use      implement processes to:\n          Only Violations , two unsecured ID badges/keys,         \xe2\x80\xa2 Ensure that users are trained and\n          15 Personally Identifiable Information violations,         aware of safeguarding login\n          two server names/IP addresses, three unsecured             credentials, locking network sessions\n          laptops, six unsecured external drives, one                to DHS systems, and locking any\n          unsecured credit card, and two users logged into a         sensitive information, media\n          system without an active screen saver set.                 containing sensitive information, or\n                                                                     data not suitable for public\n                                                                     dissemination in secure locations\n                                                                     when not in use.\n                                                                  \xe2\x80\xa2 Effectively limit access to DHS\n                                                                     buildings, rooms, work areas, spaces,\n                                                                     and structures housing IT systems,\n                                                                     equipment, and data to authorized\n                                                                     personnel.\nICE-IT-   We identified that the IT security awareness        We recommend ICE management to:                    X                      2\n 09-23    training requirements are not enforced. Of the        \xe2\x80\xa2      Remove system access for personnel\n          population of staff that had not taken the training          that are not in compliance with\n          by the ICE deadline of 6/1/09, we determined that            training requirements.\n          three employees still maintained system access.     \xe2\x80\xa2 Document procedures regarding the\n          Additionally, procedures are not in place to           disabling of user accounts and access\n          disable user accounts and access privileges if         privileges in accordance with DHS\n          annual training is not completed.                      policies for employees not in compliance.\n\n                                                               107\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                      Department of Homeland Security                      Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n       \xc2\x83 Office of Chief Information Security Officer\n\n\n\n\n\n                                     108 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security                                    Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                           Department of Homeland Security\n\n                                            FY2009 Information Technology\n\n\n\n\n                                                                                \n\n                                Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                           \n\n                                        Office of Chief Information Security Officer\n\n\n\n\n                                                                                       \n\n                                                                                                        New       Repeat     Severity\nNFR #                       Condition                                  Recommendation\n                                                                                                        Issue      Issue      Rating\nOCIO-    DHS is in the process of becoming fully           We recommend that the DHS OCIO:                X                     1\nIT-09-   compliant with the Federal Desktop Core           \xe2\x80\xa2 Finalize the DHS Hardening Guides for\n  03     Configuration (FDCC) security configurations.       Windows desktop operating systems and\n         Each DHS component agency has begun testing         distribute them to all DHS component\n         or implementing the FDCC security                   agencies.\n         configurations; however, full compliance with     \xe2\x80\xa2 Continue with the full implementation of\n         FDCC security configurations for all DHS            FDCC security configurations across all\n         components is not planned to be completed until     DHS component agencies.\n         the end of FY 2011.\n\n\n\n\n                                                            109\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                     Department of Homeland Security                       Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n               \xc2\x83 Office of Financial Management\n\n\n\n\n\n                                     110 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                       Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                            Department of Homeland Security\n\n                                             FY2009 Information Technology\n\n\n\n\n                                                                                      \n\n                                 Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                   \n\n                                               Office of Financial Management\n\n\n\n\n                                                                                     \n\n                                                                                                               New      Repeat      Severity\nNFR #                        Condition                                       Recommendation\n                                                                                                               Issue     Issue       Rating\nCONS-    We identified that while weekly DHSTIER               We recommend that the RMTO Audit Log              X                     1\nIT-09-   Oracle activity audit reports (including the          Review Policy/Procedures be revised to\n  13     OBJECT, USER, and PRIVILEGE listings) are             require that DHSTIER Oracle activity audit\n         generated and retained, evidence of RMTO              reports are retained with evidence that they\n         security management reviews of reports is not         have been reviewed by management in\n         retained.                                             accordance with DHS 4300A requirements.\n\nCONS-    We noted that the following password                  We recommended that DHSNET domain                X                      1\nIT-09-   configurations for the DHSNET domain, which           password settings be configured to be aligned\n  14     controls access to the CFO Vision application,        with DHS 4300A requirements concerning\n         are not in compliance with DHS 4300A                  automatic session termination.\n         requirements:\n\n         \xe2\x80\xa2   Password History is configured to remember\n             the previous six (6) passwords rather than\n             eight (8) as required by policy; and\n         \xe2\x80\xa2   Automatic Session Termination is configured\n             to lock workstations after fifteen (15) minutes\n             of inactivity rather than five (5) as required\n             by policy.\n\n         Upon informing OFM management of this issue,\n         DHS took corrective action and partially\n         remedied the condition by modifying the\n         DHSNET domain policy to remember the\n\n                                                                111\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                              Department of Homeland Security\n                                                                                                                    Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                            New      Repeat      Severity\nNFR #                        Condition                                      Recommendation\n                                                                                                            Issue     Issue       Rating\n         previous twenty-four (24) passwords. However,\n         the account lockout duration remains at 15\n         minutes.\n\n\nCONS-    DHS IT personnel informed us that prior to                                                          X                      1\n                                                               We recommend that DHS continue to obtain\nIT-09-   August 2009 a formal process was not\n                                                               and document approvals and test results in\n  15     documented or implemented for authorizing,\n                                                               accordance with DHS policies and\n         testing, and deploying Windows operating system\n                                                               requirements for non-emergency and\n         patches and emergency operating system patches\n                                                               emergency operating system patches for\n         on the servers which support the DHSTIER and\n                                                               DHSTIER and CFO Vision.\n         CFO Vision applications. However, we were\n         informed that since August 2009, DHS has\n         implemented the Infrastructure Change Control\n         Board (ICCB) Change Management Handbook as\n         the formal requirement followed to document an\n         initial change request form, maintain test results,\n         and obtain Infrastructure Change Control Board\n         (ICCB) approval prior to deploying operating\n         system patches. Therefore, we concluded that a\n         formal change management process for operating\n         system patches was not present for the majority\n         of the fiscal year.\n\nCONS-    We noted that policies and procedures requiring a     We recommend that DHS develop and             X                      1\nIT-09-   periodic review of physical access privileges to      implement policies and procedures for\n  16     the NCCIPS Stennis Data Center (SDC), which           performing a periodic review of physical\n         houses the physical infrastructure for DHSTIER        access privileges to the DHS Stennis Data\n         and CFO Vision, have not been documented nor          Center facility, to include retention of\n         implemented since DHS operations at NCCIPS            evidence that reviews were performed and\n         began on October 1, 2008.                             approved by appropriate management.\n\n\n\n                                                                112\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                      Department of Homeland Security\n                                                                                Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n                                     113\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                      Department of Homeland Security                      Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n          Department of Homeland Security \n\nFY2009 Information Technology - Notice of Findings and \n\n             Recommendations \xe2\x80\x93 Detail \n\n\n          \xc2\x83 Transportation Security Administration \n\n\n\n\n\n                                     114 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                            Department of Homeland Security\n                                                                                                                           Appendix B\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n                                           Department of Homeland Security\n\n                                            FY2009 Information Technology\n\n\n\n\n                                                                                    \n\n                                Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n\n                                                                                                 \n\n                                         Transportation Security Administration\n\n\n\n\n                                                                                        \n\n                                                                                                                   New       Repeat      Risk\nNFR #                        Condition                                       Recommendation\n                                                                                                                   Issue      Issue     Rating\nTSA-IT-   We were unable to obtain six of the eight         \xe2\x80\xa2   Complete workgroup efforts to establish clear                   X         1\n 09-20    Employee Exit Clearance Forms and one of the          ownership and corrective action plans for the\n          three Separating Non-Screener Employee and            conditions noted.\n          Contractor IT Certificates sampled.               \xe2\x80\xa2 Complete and maintain all forms during the\n                                                                exit process, as required by the Employee Exit\n                                                                Clearance procedures for employees and\n                                                                contractors.\n                                                            \xe2\x80\xa2 Verify that a computer access agreement is\n                                                                acknowledged by all TSA employees and\n                                                                contractors, as required by the IT Security\n                                                                Policy Handbook, and that evidence of this\n                                                                acknowledgement is maintained.\nTSA-IT-   Deficiencies continued to exist over the script   Continue making improvements to implement and                      X          3\n 09-23    configuration management process.                 better document an integrated script configuration\n          Specifically, Deficiencies were noted in the      management process that includes enforced\n          areas of approvals, testing, monitoring,          responsibilities of all participants in the process,\n          maintaining documentation, and audit logging.     and the continued development of documentation\n                                                            requirements. We recommend that the Coast\n              \xe2\x80\xa2   Coast Guard lacks a formal process to     Guard should:\n                  distinguish between the module lead\n                  approvers for script approval requests.\n                                                            \xe2\x80\xa2    Continue to design, document, implement, and\n              \xe2\x80\xa2   Coast Guard Finance Center (FINCEN)            enforce the effectiveness of internal controls\n                  analysts may run scripts without               associated with the active (current and future)\n                  seeking further approval from the              scripts.\n\n\n                                                                115\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                               Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                       New       Repeat      Risk\nNFR #                      Condition                                           Recommendation\n                                                                                                                       Issue      Issue     Rating\n                Functional Supervisors for approved\n                recurring scripts.                            With respect to procedures already in place, Coast\n                                                              Guard should:\n            \xe2\x80\xa2   Testing requirements are inconsistently\n                followed for the testing of the Recurring\n                Approval scripts and retaining evidence       \xe2\x80\xa2    Update / Develop procedures and implement\n                of testing.                                        technical controls in the Core Accounting\n                                                                   System (CAS) and Financial Procurement\n            \xe2\x80\xa2   No reconciliation between the scripts              Desktop (FPD) databases to ensure that the\n                run and the changes made to the                    appropriate monitoring and review of script\n                database tables is being performed to              activities is performed and documented.\n                monitor the script activities using this\n                report as it is too difficult to accurately   \xe2\x80\xa2    Continue to update script policies and\n                and effectively reconcile the scripts to           procedures to include clear requirements and\n                the audit log table changes.                       more detailed guidance over requesting\n                                                                   recurring scripts, testing and documentation\n            \xe2\x80\xa2   The Script Tracking System does not\n                                                                   requirements, monitoring/audit log reviews,\n                consistently include all testing,\n                                                                   and blanket approval requirements.\n                approval, and implementation\n                                                                   Additionally, ensure that the policies and\n                documentation for all scripts.\n                                                                   procedures include detailed guidance over the\n            \xe2\x80\xa2   Variations in the way the Production               requirements for the testing of scripts and\n                Review Process (PRP) Approval Forms                associated test plans to ensure that the\n                are populated and completed exist for              appropriate financial impact of the script is\n                fields such as financial impact, test              evaluated, reviewed by the appropriate\n                strategy and baseline determinations.              personnel, tested in an appropriate test\n                                                                   environment prior to being put into\n            \xe2\x80\xa2   Proper approval is not consistently                production, and documented prior to\n                obtained and documented prior to the               execution.\n                running of each script.\n        In addition, we noted the following deficiencies      \xe2\x80\xa2    Further develop and implement policies and\n        related to TSA monitoring controls over the                procedures governing the script change\n        Coast Guard IT script process:                             control process to ensure that all script records\n\n\n                                                                  116\n                  Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                      Department of Homeland Security\n                                                                                                             Appendix B\n                                    Information Technology Management Letter\n                                               September 30, 2009\n\n                                                                                                     New       Repeat      Risk\nNFR #                 Condition                                   Recommendation\n                                                                                                     Issue      Issue     Rating\n        \xe2\x80\xa2   TSA management receives a weekly            within the Change Management Script System\n            script report as well as a Validation of    are accurate and complete.\n            Monthly Recurring Scripts from\n            FINCEN. However, we were informed\n            that TSA was still requesting\n            modifications to the script reports and\n            had asked FINCEN to go back into\n            Change Management Script System\n            (CMSS) to populate missing\n            information so that further analysis\n            could be conducted. Additionally,\n            during test work, we noted that for\n            eight PRP forms, the financial impact\n            determination did not match the CMSS\n            script record field.\n        \xe2\x80\xa2   TSA management is still in the process\n            of identifying the appropriate subject\n            matter experts in each area and have\n            not formalized the roles and\n            responsibilities surrounding this\n            process.\n        \xe2\x80\xa2   TSA policies and procedures\n            developed by require that the TSA\n            subject matter experts utilize the\n            financial impact guidance set forth by\n            FINCEN management in the PRP Staff\n            Instruction. However, upon inspection\n            of the PRP Instruction we determined\n            that this guidance does not adequately\n            include detailed criteria to determine\n            financial impact.\n        \xe2\x80\xa2    Once the financial impact is assessed\n\n                                                       117\n             Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                             Department of Homeland Security\n                                                                                                                           Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                   New       Repeat      Risk\nNFR #                        Condition                                        Recommendation\n                                                                                                                   Issue      Issue     Rating\n                   and approved by FINCEN for the\n                   parent blanket approved recurring\n                   script, the testing of the script is not\n                   subsequently reviewed by an\n                   individual with financial reporting\n                   knowledge for child scripts that are run\n                   in production to ensure that financial\n                   impact is correct before the script is\n                   placed in production.\n            \xe2\x80\xa2      TSA is not asked to review and\n                   approve all scripts with a financial\n                   impact \xe2\x80\x93 thus a Coast Guard approver\n                   may approve a script that TSA is not in\n                   agreement with, or even aware of.\nTSA-IT-   During our after-hours physical security testing,   Review security awareness programs designed to        X                     1\n 09-28    we identified four passwords located on             protect financial data to help ensure that\n          employee workstations.                              individuals are adequately instructed and\n                                                              reminded of their roles in the protection of both\n                                                              electronic and physical TSA financial data and\n                                                              hardware that supports financial data.\nTSA-IT-   Controls over the TSA quarterly access reviews      Develop and effectively implement quarterly           X                     1\n 09-29    for CAS and FPD user accounts have not been         review policies and procedures that include\n          effectively implemented to ensure that TSA          follow-up measures that will be enforced to\n          users who no longer require system access are       ensure that users identified through these reviews\n          removed in a timely manner.                         are maintaining unnecessary access have their\n                                                              accounts end dated in a timely manner.\n\n\n\n\n                                                               118\n                    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                     Department of Homeland Security                       Appendix B\n                   Information Technology Management Letter\n                              September 30, 2009\n\n\n\n\n            Department of Homeland Security \n\n             FY2009 Information Technology \n\n Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n        \xc2\x84   United States Citizen and Immigration Services\n\n\n\n\n                                     119 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                      Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                             New      Repeat      Severity\nNFR #                        Condition                                      Recommendation\n                                                                                                             Issue     Issue       Rating\nCIS-IT-   We inspected the National Benefits Center            Continue to define and document the various               X           2\n 09-01    (NBC) CLAIMS 3 LAN user role/responsibilities        CLAIMS 3 LAN roles and their associated\n          documentation and determined that the system         responsibilities for the remaining service\n          settings and assigned user roles within the system   centers.\n          do not accurately reflect documented user\n          responsibilities.\n\nCIS-IT-   NBC does not perform periodic CLAIMS 3 LAN           Establish and implement policies and                     X            2\n 09-02    user access reviews to ensure that users\' level of   procedures for handling, reviewing, and\n          access remains appropriate and there are no          retention of Claims 3 LAN user account\n          procedures established for performing periodic       request forms.\n          reviews.\n\n\nCIS-IT-   Management at the USCIS Headquarters (HQ)            Establish and enforce procedures for the                 X            2\n 09-03    and the Service Center, Vermont has not              completion and maintenance of user access\n          completed or inadequately documented access          forms for CLAIMS 3LAN and CLAIMS 4 for\n          forms for CLAIMS 3 LAN and CLAIMS 4,                 all the service centers.\n          system users.\n\nCIS-IT-   The USCIS HQ has not maintained or                   Conduct and document annual reviews of all               X            2\n 09-04    documented a selection of system administrator\xe2\x80\x99s     users with Active Directory system\n          access authorization forms.                          administrator access.\n\n\n\n\n                                                                120\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                         Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                New      Repeat      Severity\nNFR #                        Condition                                      Recommendation\n                                                                                                                Issue     Issue       Rating\nCIS-IT-   The biometric facial recognition scanner allowed     \xe2\x80\xa2   Establish and implement backup media                     X           2\n 09-06    unauthorized personnel access to USCIS server            retention and rotation policies.\n          room, and procedures regarding removal,              \xe2\x80\xa2 Establish and implement emergency exit\n          authorization, and logging of USCIS backup               and re-entry procedures.\n          media are not in place for the Technology            \xe2\x80\xa2 Develop a process that assures all\n          Engineering Consolidation Center (TECC).                 resources with access to the USCIS\n                                                                   resources adhere to the policy and\n                                                                   procedure.\n                                                               \xe2\x80\xa2 Implement stronger physical access\n                                                                   controls over the server cage door to\n                                                                   prevent further unauthorized access\nCIS-IT-   USCIS has not finalized a policy that outlines the   Update and finalized their policies and                     X            2\n 09-07    process for developing forms for labeling and        procedures to reflect their current media\n          tracking the disposition process or provided clear   sanitization operation.\n          instructions for conducting media wipes or\n          purges of data.\nCIS-IT-   USCIS does not recertify its system administrator    Management should establish a more timely                   X            2\n 09-08    accounts on an annual basis.                         process to perform a periodic review of user\n                                                               accounts ensuring proper authorization and\n                                                               training.\nCIS-IT-   CLAIMS 3 LAN password re-use and length              \xe2\x80\xa2 Establish a process to ensure that USCIS        X                      2\n 09-09    configurations does not meet DHS standards.             systems are configured to meet minimum\n          CLAIMS 3 LAN generic user accounts was not              DHS password configurations and\n          timely removed because of a lack of user account        requirements.\n          recertification.                                     \xe2\x80\xa2 Remove all generic accounts to CLAIMS 3\n                                                                  LAN production systems and perform\n                                                                  periodic reviews of the user access list to\n                                                                  ensure compliance.\nCIS-IT-   CLAIMS 4 LAN password configuration settings         We recommend that USCIS establish a               X                      2\n 09-10    does not meet DHS4300A password standards.           process to ensure CLAIMS 4 LAN is\n                                                               configured to meet DHS4300A password\n                                                               configuration standards.\n\n                                                                   121\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                               Department of Homeland Security                                         Appendix B\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                               New      Repeat      Severity\nNFR #                        Condition                                     Recommendation\n                                                                                                               Issue     Issue       Rating\nCIS-IT-   We identified that an inadequate background         We recommend that USCIS management                 X                     2\n 09-11    investigation was performed and documented for      periodically review personnel files to confirm\n          one new hire personnel from a sample of 25.         background investigations have been\n                                                              completed in accordance with DHS standards.\nCIS-IT-   We inspected a sample of personnel that had         We recommend that USCIS management                X                      2\n 09-12    terminated/transferred from their employment        adhere to exit clearance procedures and\n          with USCIS. Of the 28 terminated/transferred        require personnel to follow them in an event\n          USCIS personnel sampled, evidence of                of transfer/termination.\n          compliance with exit clearance procedures could\n          not be provided for 19 employees.\nCIS-IT-   Vermont Service Center (VSC) has ineffective        \xe2\x80\xa2 Establish and implement procedures for          X                      2\n 09-13    safeguards exist over the computer room in the         maintaining and authorizing the OIT\xe2\x80\x99s\n          Office of Information Technology (OIT). VSC            computer room access list.\n          procedures regarding the removal, authorization     \xe2\x80\xa2 Establish and implement backup media\n          and logging of backup media are not in place.          retention and rotation policies.\n          VSC procedures for ensuring accuracy and            \xe2\x80\xa2 Enforce completeness and accuracy over\n          completeness over visitor logs are not enforced.       visitor information in logs.\nCIS-IT-   During our testing of access controls for FFMS,     We recommend that USCIS establish and             X                      2\n 09-14    in our sample of 25 active users, we noted one      enforce policies and procedures that ensure\n          user\xe2\x80\x99s access was excessive, based on the access    that roles and responsibilities are\n          approved by their present supervisor. We learned    commensurate with their job function.\n          that this user\xe2\x80\x99s profile was changed as the user\n          relocated to a different service center. However,\n          when the profile change was requested, the\n          FFMS administrator did not remove all previous\n          access nor assure that the access rights were\n          current and authorized. As a result, the user had\n          excessive privileges for her role and\n          responsibilities. We also noted that the USCIS\n          SOP did not reflect this procedure though we\n          learned through inquiry that the FFMS\n          administrators are required to remove all prior\n\n                                                               122\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                Department of Homeland Security                                         Appendix B\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                New      Repeat      Severity\nNFR #                         Condition                                    Recommendation\n                                                                                                                Issue     Issue       Rating\n          access when performing a profile change.\n          As a result of our test work, USCIS responded by\n          removing the excessive access to reflect the\n          user\xe2\x80\x99s role and responsibilities. In addition,\n          USCIS updated their SOP to require all previous\n          access to be confirmed and removed prior to\n          granting new access roles.\n\nCIS-IT-   We identified a lack of audit logging policies     We recommend that USCIS establish and               X                      2\n 09-15    over the application and server logs for the       enforce policies and procedures for\n          CLAIMS 3 and CLAIMS 4 LAN system.                  maintenance and review of audit logging.\n\nCIS-IT-   We identified weaknesses within physical access    \xe2\x80\xa2 Establish and implement policies and              X                      2\n 09-16    controls for CLAIMS 4 LAN over lack of                procedures for the handling, periodically\n          procedures for recertifying user access, lack of      reviewing, and retaining CLAIMS 4 LAN\n          evidence of least privilege and segregation of        user account request forms.\n          duties controls, and untimely removal of           \xe2\x80\xa2 Define and document policies and\n          terminated personnel accounts.                        procedures for identifying and approving\n                                                                CLAIMS 4 user roles/profiles to include\n                                                                the user\xe2\x80\x99s responsibilities. In addition, the\n                                                                policies and procedures should address and\n                                                                implement segregation of duties\n                                                                procedures.\n                                                             \xe2\x80\xa2 Develop policies and procedures for the\n                                                                removal of transferred/terminated users\n                                                                within CLAIMS 4 upon their separation\n                                                                from USCIS.\nCIS-IT-   We identified weaknesses within monthly            We recommend that USCIS management                  X                      2\n 09-17    trainings of USCIS\xe2\x80\x99 ISSOs.                         implement mandatory training requirements\n                                                             for IT security personnel to complete training\n                                                             consistent with their job function duties.\n\n\n                                                              123\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                                 Department of Homeland Security                                          Appendix B\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                  New      Repeat      Severity\nNFR #                         Condition                                       Recommendation\n                                                                                                                  Issue     Issue       Rating\nCIS-IT-   We determined that weaknesses exist related to        We recommend that USCIS management                  X                     2\n 09-18    CLAIMS3 LAN access. Specifically, we                  develop and implement policies and\n          identified 21 users which were separated from         procedures for the removal of separated users\n          USCIS and still retained access to the CLAIM3         within CLAIMS 3 LAN upon their separation.\n          LAN.\n\nCIS-IT-   We tested a sample of personnel that were             \xe2\x80\xa2    Establish and implement requirements for      X                      2\n 09-19    required to complete annual Computer Security              personnel to complete Computer Security\n          Awareness Training during the fiscal year. Of              Awareness Training annually.\n          the thirty (30) personnel sampled, evidence of        \xe2\x80\xa2    Develop a process to disable user accounts\n          compliance could not be provided for two                   and access privileges in accordance with\n          employees. Additionally, procedures are not in             DHS policies for employees not in\n          place to disable user accounts and access                  compliance.\n          privileges if annual training is not completed on a\n          timely basis.\n\n\n\n\n                                                                    124\n                     Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                          Department of Homeland Security                    Appendix C\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n\n\n\n                                  Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n                          Comparison To \n\n Current Year Notices of Findings and Recommendations at DHS \n\n\n\n\n\n                                         125\n    Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security                                Appendix C\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\n\n     Status of Prior Year Notices of Findings and Recommendations and Comparison To\n                   Current Year Notices of Findings and Recommendations\n                                                                                             Disposition\nNFR No.          Description                                                           Closed         Repeat\n\n  CBP-IT-08-02         Interconnection Security Agreements (ISAs)                        X\n  CBP-IT-08-03                                                                                         09-03\n  CBP-IT-08-08                 Audit Logs                                                X\n  CBP-IT-08-09    Disabling of Inactive Accounts on                                      X\n  CBP-IT-08-12                     Installations                                                       09-12\n  CBP-IT-08-13    Complete List of CBP Workstations                                                    09-13\n  CBP-IT-08-16    Excessive        Emergency Access                                      X\n  CBP-IT-08-18    Recertification of             Accounts                                X\n  CBP-IT-08-21    Review of Changes to Security Profiles in                                            09-21\n  CBP-IT-08-26    Review of               Security Violation Logs                        X\n  CBP-IT-08-27                 Administrator Access Authorization Weaknesses                           09-27\n  CBP-IT-08-28                 Access Policies and Procedures                            X\n  CBP-IT-08-29    Completion of CF-241 Forms for Terminated Employees                                  09-29\n  CBP-IT-08-34    Installation of Virus Protection                                                     09-34\n  CBP-IT-08-35    Configuration Management                                               X\n  CBP-IT-08-36    Patch Management                                                       X\n  CBP-IT-08-37    Security Violation Review Process                                      X\n  CBP-IT-08-38    Process for Reviewing               Audit and                 Logs     X\n  CBP-IT-08-39    Password Configuration Weakness in                                     X\n                  ISSM Approval of          Emergency and Temporary Access\n  CBP-IT-08-40                                                                           X\n                  Authorizations\n  CBP-IT-08-41    Weaknesses in the Process of Separating CBP Contractors                              09-41\n                  Formal Agreement Not in Place for CBP\xe2\x80\x99s Use of             as\n  CBP-IT-08-42                                                                           X\n                  Business Continuity Facility\n  CBP-IT-08-43    Inadequate Resources at           for Business Continuity Testing      X\n  CBP-IT-08-44    Completion of Non Disclosure Agreements for CBP Contractors                          09-44\n  CBP-IT-08-45    Log Configuration Weakness for                      System                           09-45\n  CBP-IT-08-46    Review of                                        Logs                  X\n  CBP-IT-08-47    Rules of Behavior are Not Signed Before Gaining Systems Access         X\n  CBP-IT-08-48    Lack of Effective        Access Change Log Review Procedures                         09-48\n  CBP-IT-08-49    Weak Initial Passwords Granted for New Accounts in                     X\n  CBP-IT-08-50    Inadequate Tracking of Security Awareness Training Completion          X\n  CBP-IT-08-51    No         Hardware Maintenance Procedures                             X\n  CBP-IT-08-52    Screensavers are Not Appropriately Configured on the                   X\n                  Out of Date and Inaccurate        Security Administrator\n  CBP-IT-08-53                                                                           X\n                  Procedures\n  CBP-IT-08-54          Access Control Weaknesses                                        X\n  CBP-IT-08-55                 Accounts Created by Unauthorized Parties                  X\n\n  CG-IT-08-01     FINCEN Service Continuity Weakness                                     X\n                  Security Configuration Management Policy and Procedures\n  CG-IT-08-06                                                                            X\n                  Weakness\n  CG-IT-08-07     RACF/JUMPS Password Configuration Needs Strengthening                  X\n\n                                                      126\n          Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security                              Appendix C\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                                                                                          Disposition\nNFR No.          Description                                                        Closed         Repeat\n\n  CG-IT-08-10     Contractor Background Investigation Weakness                                      09-10\n                  Weaknesses in Specialized Role-based Training for Individuals\n  CG-IT-08-14                                                                                       09-14\n                  with Significant Security Responsibilities\n  CG-IT-08-17     Checkfree Password Configuration Needs Strengthening                X\n  CG-IT-08-23     SAM Audit Log Review Weakness                                                     09-23\n  CG-IT-08-25     WINS Access Controls Need Strengthening                                           09-25\n  CG-IT-08-27     SAM Account Management Weakness                                     X\n  CG-IT-08-31     Weaknesses in Controls Over the Scripting Process                                 09-31\n  CG-IT-08-32     Lack of a Documented Contractor Tracking Mechanism                                09-32\n                  Lack of a Consistent Contractor, Civilian, and Military Account\n  CG-IT-08-33                                                                                       09-33\n                  Termination Process for Coast Guard Systems\n  CG-IT-08-34     WINS Change Control Weakness                                                      09-34\n  CG-IT-08-35     CAS and FPD Change Control Weakness                                 X\n  CG-IT-08-36     Vulnerability Assessment Weakness \xe2\x80\x93 Configuration Management        X\n  CG-IT-08-37     Vulnerability Assessment Weakness \xe2\x80\x93 Patch Management                X\n  CG-IT-08-40     Civilian Background Investigation Weakness                                        09-40\n  CG-IT-08-41     Weakness in the CAS C&A Package                                     X\n  CG-IT-08-42     Non-Compliance with FFMIA \xe2\x80\x93 Information Technology                                09-42\n                  Access Authorization and Recertification Weaknesses within the\n  CG-IT-08-43                                                                                       09-43\n                  User Management System (UMS)\n\n                  Lack of Definition and Documentation of Access Roles at the\n  CIS-IT-08-01                                                                                      09-01\n                  National Benefits Center for CLAIMS 3 LAN\n                  Periodic CLAIMS 3 LAN User Access Reviews are not Performed\n  CIS-IT-08-02    at the NBC                                                                        09-02\n\n                  Incomplete or Inadequate Access Request Forms for CLAIMS 3\n  CIS-IT-08-03    LAN, CLAIMS 4, and CISCOR System Users at Headquarters                            09-03\n                  and the Service Centers\n  CIS-IT-08-04    Ineffective Controls for Restricting Security Software Exist                      09-04\n  CIS-IT-08-06    Weak Data Center Access Controls                                                  09-06\n  CIS-IT-08-07    Equipment and Media Policies and Procedures are not Current                       09-07\n  CIS-IT-08-08    Weak Access Controls for Security Software Exist                                  09-08\n\n CONS-IT-08-07    Lack of Individual Accountability for DBA Accounts                  X\n CONS-IT-08-11    Lack of Sufficient Evidence of TIER Change Control Testing          X\n                  Evidence of Approvals and Testing for the CFO Vision 4.3\n CONS-IT-08-12                                                                        X\n                  Upgrade Not Documented\n\n                  Configuration Management Weaknesses on IFMIS, NEMIS, and\n FEMA-IT-08-02                                                                                      09-02\n                  Key Support Servers\n FEMA-IT-08-03    Weaknesses Exist over Recertification of Access to the IFMIS                      09-03\n                  Documentation Supporting the IFMIS User Functions Does Not\n FEMA-IT-08-06                                                                                      09-06\n                  Exist\n FEMA-IT-08-12    NEMIS Access Controls Need Improvement                                            09-12\n FEMA-IT-08-13    Employee Termination Process for Removing System Access                           09-13\n\n\n                                                    127\n          Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security                             Appendix C\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\n\n                                                                                          Disposition\nNFR No.          Description                                                        Closed         Repeat\n\n                  Should be More Proactive\n                  System Programmers Have the Ability to Migrate Code into the\n FEMA-IT-08-17                                                                                      09-17\n                  IFMIS Production Environment\n FEMA-IT-08-19    Monitoring of FEMIS System Software Needs Improvement                             09-19\n FEMA-IT-08-22    Alternate Processing Site for NEMIS Has Not Been Established                      09-22\n                  IFMIS Backup Tapes are not Tested in Accordance with DHS\n FEMA-IT-08-23                                                                        X\n                  Requirements\n FEMA IT-08-24    NEMIS Backups are not Tested in Accordance with Policy                            09-24\n FEMA-IT-08-25    NEMIS Contingency Plan is not Tested                                              09-25\n                  NEMIS Configuration Management Process for Non-Emergency\n FEMA-IT-08-28                                                                                      09-28\n                  Changes Needs Improvement\n FEMA-IT-08-29    NEMIS Emergency Change Process Needs Improvement                                  09-29\n FEMA-IT-08-38    Segregation of Duties Not Enforced for Traverse                                   09-38\n                  Traverse Contingency Plan Not Tested and NFIP Disaster\n FEMA-IT-08-39                                                                                      09-39\n                  Recovery and CCOP Needs Improvement\n                  IFMIS User Access is not Managed in Accordance with Account\n FEMA-IT-08-45                                                                                      09-45\n                  Management Procedures\n                  IFMIS System Interconnections Agreements have not been\n FEMA-IT-08-46                                                                                      09-46\n                  Reauthorized\n                  NEMIS System Interconnections Agreements have not been\n FEMA-IT-08-47                                                                        X\n                  Reauthorized\n                  Corrective Action over NEMIS Vulnerabilities is Not Formally\n FEMA-IT-08-48                                                                                      09-48\n                  Documented\n                  Anti-Virus Settings on User\xe2\x80\x99s Workstation were not Configured\n FEMA-IT-08-49                                                                        X\n                  Properly\n                  Weaknesses Exist over IFMIS Application and Database Audit\n FEMA-IT-08-50                                                                                      09-50\n                  Logging\n FEMA-IT-08-51    NEMIS Oracle Audit Logging is not Sufficient                                      09-51\n                  Existing NEMIS Patch Management Guidance Needs to be\n FEMA-IT-08-52                                                                                      09-52\n                  Implemented\n                  The NEMIS System Security Plan has not been Fully Updated in\n FEMA-IT-08-53                                                                                      09-53\n                  Accordance with DHS Policy\n FEMA-IT-08-54    Traverse Application Management Needs Improvement                                 09-54\n FEMA-IT-08-55    TRRP Change Management Needs Improvement                            X\n\nFLETC-IT-08-01    Momentum Configuration Management Needs Improvement                 X\n                  Procurement Desktop Configuration Management Needs\nFLETC-IT-08-02                                                                        X\n                  Improvement\n                  Installation of Momentum System Software is not Logged or\nFLETC-IT-08-03                                                                                      09-03\n                  Reviewed\nFLETC-IT-08-04    The SDLC for Momentum is not Finalized                                            09-04\nFLETC-IT-08-05    Momentum Backups are not Tested                                     X\nFLETC-IT-08-06    The Momentum Contingency Plan is not Complete                       X\n                  Incidents are not Tracked in an Incident Response Management\nFLETC-IT-08-07                                                                        X\n                  System\nFLETC-IT-08-08    Lack of Policies and Procedures over Incompatible Duties within     X\n\n\n                                                     128\n          Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                   Department of Homeland Security                              Appendix C\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\n\n                                                                                           Disposition\nNFR No.          Description                                                         Closed         Repeat\n\n                  Procurement Desktop\nFLETC-IT-08-09    Telecom Room Access Controls Needs Improvement                       X\n                  Momentum and Procurement Desktop Access Controls Need\nFLETC-IT-08-10                                                                         X\n                  Improvement\nFLETC-IT-08-11    IT Security Awareness Training is in Draft Form                      X\n                  Policies and Procedures over Mobile Code Technologies are not\nFLETC-IT-08-12                                                                         X\n                  Developed\n                  Policies and Procedures for Review of Momentum Audit Logs are\nFLETC-IT-08-13                                                                         X\n                  not Developed\n                  Policies and Procedures for Restricting Access to Momentum\nFLETC-IT-08-14                                                                         X\n                  System Software are not Developed\n                  Policies and Procedures for Segregating Incompatible Duties in\nFLETC-IT-08-15                                                                         X\n                  Momentum are not Developed\n                  Policies and Procedures over VoIP Technologies are not\nFLETC-IT-08-16                                                                         X\n                  Developed\n                  Background Investigations for Contractors are not Consistently\nFLETC-IT-08-17                                                                         X\n                  Performed\nFLETC-IT-08-18    Procurement Desktop Audit Logs Need Improvement                      X\nFLETC-IT-08-20    Access to FLETC LAN is not Effectively Controlled                    X\n                  FLETC Manual 4300: IT System Security Program and Policy is\nFLETC-IT-08-21                                                                         X\n                  not Finalized\nFLETC-IT-08-22    Access Controls over Procurement Desktop are not Effective           X\nFLETC-IT-08-23    Lack of Procedures for Recertifying Procurement Desktop Users        X\n                  Momentum/Procurement Desktop Contingency Plan is not\nFLETC-IT-08-24                                                                         X\n                  Maintained at the Alternate Processing Site\n                  Policies and Procedures over Anti-Virus Software for Servers and\nFLETC-IT-08-25                                                                         X\n                  System Maintenance are not Finalized\n                  Configuration Management Weaknesses on the Procurement\nFLETC-IT-08-26                                                                                       09-26\n                  Desktop, Momentum, and GSS\nFLETC-IT-08-27    Patch Management Weaknesses on Procurement Desktop and GSS           X\nFLETC-IT-08-29    Procurement Desktop Backups are not Tested                           X\nFLETC-IT-08-30    Momentum Users are Granted Inappropriate Super User Access           X\nFLETC-IT-08-31    Momentum Security Violation Events are not Reviewed                                09-31\nFLETC-IT-08-32    Momentum Segregation of Duties Controls are not Effective            X\n\n  ICE-IT-08-04    Weak ICE Network/ADEX Access Controls Exist                          X\n                  ICENet\\ADEX Contingency Plan is not Stored at Offsite\n  ICE-IT-08-09                                                                         X\n                  Locations\n                  ICENet\\ADEX Backup Facility Access is not Appropriately\n  ICE-IT-08-10                                                                         X\n                  Secured from Unauthorized Access\n\n                  Formal Agreement Not in Place for CBP Use of the Stennis Data\n OCIO-IT-08-01                                                                         X\n                  Center as a Business Continuity Facility\n OCIO-IT-08-02    DHS SDLC has not been Finalized                                      X\n\n  TSA-IT-08-01    FINCEN Service Continuity Weakness                                   X\n\n\n                                                     129\n          Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                                  Department of Homeland Security                             Appendix C\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                                                                                         Disposition\nNFR No.          Description                                                       Closed         Repeat\n\n                  Security Configuration Management Policy and Procedures\n  TSA-IT-08-03                                                                       X\n                  Weakness\n  TSA-IT-08-05    Contractor Background Investigation Weakness                       X\n                  Weaknesses in Specialized Role-based Training for Individuals\n  TSA-IT-08-06                                                                       X\n                  with Significant Security Responsibilities\n  TSA-IT-08-13    Weakness in the CAS C&A Package                                    X\n  TSA-IT-08-15    TSA IS Security Awareness Training Weakness                        X\n  TSA-IT-08-18    Vulnerability Assessment Weakness \xe2\x80\x93 Configuration Management       X\n  TSA-IT-08-19    Vulnerability Assessment Weakness \xe2\x80\x93 Patch Management               X\n                  Weaknesses over the TSA Computer Access Agreement and\n  TSA-IT-08-20                                                                                     09-20\n                  Termination Clearance Processes\n                  CAS, FPD, and Sunflower Change Control Policy and Procedures\n  TSA-IT-08-21                                                                       X\n                  Weakness\n  TSA-IT-08-22    CAS and FPD Change Control Weakness                                X\n  TSA-IT-08-23    Weaknesses in Controls Over the Scripting Process                                09-23\n  TSA-IT-08-24    Civilian Background Investigation Weakness                         X\n                  Access Authorization and Recertification Weaknesses within the\n  TSA-IT-08-26                                                                       X\n                  User Management System (UMS)\n  TSA-IT-08-27    CAS and FPD Access Recertification Weakness                        X\n\n\n\n\n                                                    130\n          Information Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                              Department of Homeland Security                                     Appendix D\n                         Information Technology Management Letter\n                                      September 30, 2009\n\n\n\n                                                                  u.s. Dojlo..m..\' 0 1 _... S<ArItr\n                                                                  w............ OC2<W1\n\n\n                                                                 Homeland\n                                                                 Security\n                                      API! - 2100\n         MEMORANDUM FOR;             Richard Skinner\n                                     1nIpe<:tor General\n\n      FROM:                                  .r.1 ~\n                                     Richard SPi-   A\n\n\n\n\n                                     Chief1nfo~eer\n                                    t~\n                                    ~~aIOfficer\n                                    Robert West\n                                    ChidInfomlatlon Security Officer\n\n     SUBJECT:                       010 DntftAuditReport - bifon"Olil)rr Technology\n                                    Monage1/U1li Lettufor FY 20(J9 DHS InJegraled.Alldir\xc2\xad\n                                    For OffiCilll Un OI\'lly\n\n     We have reviewed the Office of the Inspector General\'s (010) draft alKlit report,\n     Irrformat/Olt T,cnnologyManagcfMnl uttu (rTML)for FY ]009 DHS IntegraltdAwffl,\n     dated December 9, 2009. We ooneur with me Financial Systems Security fuuiinas\n     contained within your audit report\n\n     The DHS Chid Information Offie\xc2\xab (CIO) aod ChiefFio.ancial Officer (CFO) have\n     aligned the Federal Infonn8tion Security Mu.oBgetnellt Act (FlSMA) framework with the\n     internal oolitrolllSlJCSSnlelit process, governed by omee of Management aDd Budget\n     (OMB), Circular A-I23, Manag,ment\'s R.sporr.slbilltyfor IntuMI Control across the\n     Departroent 10 improve financial systems security a1 the Department. Major activities\n     under this integrated approach include:\n\n     \xe2\x80\xa2    l$SIJcd. final tmernal Control Playbook MQ~me\'" Auvronc. Procu$ Gtdtk\n          Fiscal r,ar 2()(}9 Addendum 10 the Information Teelmology General Controls (ITGC)\n          lmplemenwion Guide which provides guidance 011 DHS\'s approach to docum.enUna\n          and tesdngthe design effectiveness offinancialay.tenl n\'oc\xe2\x80\xa2.\n     \xe2\x80\xa2    Updated tile CFO Desiaoated Systems List for FY09 as a result ofITOC Systems\n          Mapping performed in FY08. The list specific! the financ:ial systems that require\n          additional management acx:ountability to ensure effective controls exist over financial\n          reporting.\n     \xe2\x80\xa2    Performed FY09 A\xc2\xb7i23 ITOC Assessments.t the following Componellt$- U.S.\n          CitizeJuh.ip and Immigration Services, Jromigration and Custom~ E\'JIf~ent,\n          Customs and Border ProtectiOD, Fedeta.l Law Enfoteement Training Center, aud U.S,\n          SctTet Service. T~ following detail! me A\xc2\xb7123 ITGC AsSC!SDlCllts for FYQ9:\n\n\n\n\n                                                131 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                              Department of Homeland Security                                         Appendix D\n                         Information Technology Management Letter\n                                        September 30, 2009\n\n\n\n\n                    o Pe:fvt.utrl wa1kthroughI witb points of contact 10 di!lC\\lSll the process and\n                      procechzrq SlID\'Ounding the CFO Designated Systems key controls.\n                    o Updated Tes~ofDesign. including le\'Iiew and statwI forconective\n                        actions identified In FYOS.\n                    o Pedormcd Tcsl3 ofOperatlng Ef1\'eetiverlCSS for controls thal are properly\n                        dcsigoed.\n                    o Issued the FY09 DRS Sccn:tary\'s Annua.l ~ Sta!emelIt baed on\n                       FY09 test results.\n            Issued the FY 2010 DHS Infonnation Security Performanoo P1an which includes the\n            rcquiremcat to eIlSlIr8 key finaneial ~!lllClIrity oontrols ~ ~cd lInDually.\n            Updated DHS 4300" Sensitive Systems Haodbook, AftaChmeot H: POA.&:M Procut\n            Grdtk, to includttbe CFO\'s rolt and leSpOllSibilities re1ated to the POA&M proccs;\n            aDd iDooIpomtd risle levels lIIld risk ratings for fioancia1systems to assist\n            CompoDllllts aDd DHS in better ~ the oYef&11 risk 10 iDfortnation ~\n\n        \xe2\x80\xa2   ""-\n            Implemented traelcing of A\xc2\xb7I23 rroc _Jrnes.: under the Wtaknoss Rc:mcdiation\n\n\n\n\n            _.\n            metric 011 the FISMA Sco~.\n        \xe2\x80\xa2   Provided root ca\\IIC analysis training to DHS Components and assistance with\n            llddressingA\xc2\xb7l23 ITGC deficiencies in POAa:Ms; provided POAotM bining for\n            215 finaDciall)\'SlemlllOCUrity p1\'Ofessiollal~ at eleven. Componcnu and DHS\n\n        \xe2\x80\xa2   Improved tracking of all IT audit reeommeodations to ensure traceability to\n            POAa:M~InTAF.\n        \xe2\x80\xa2   Developed \xe2\x80\xa2 POA&M Issues Me:ttiCll List: to track financial sy$tem$ ddicieneies\n            identified by tbeCompoDClltS, DHS Headquarters, 010 Rqlorts, and financia1\n            llS3CSSlIlClIts to resolution.\n        \xe2\x80\xa2   Updated Departmcutallnfunnation Assurance tools, t.g., Risk Management S)\'SlieIn\n            (RMS) and Trusted AgentFISMA (TAF)to monito.r 8lId traelr: compliance with\n            roquirmnents for ero Designated Sy~.\n\n        Additiooally, DHS plMs to modify the IltO(le of A-123 asxssroenb for FY 2010 to\n        perbrm verifieatioo. and VlIlidation procedures to r.nsure POA&.Ms addfess root causes of\n        ttn.lcilll. ~ IJllCUrity corrtroI deficiencies ideotifitd from the financilll. .stelt$eDt\n        audits and FISMA aDIluai ust:SSUiiIUU.\n\n        The DHS CIO end CFO rem~ fully ~tted to working to~ to sewre DRS\n                                                                  rrocs\n        finanei.lII. systems and continue to raise the stIIndar4I ftll" for 1OCWina: lII.l DHS\n        financilll. syst;ems informatioa.\n\n        If you haVfl any questions or would like additional infODDltion, please c:ontlIct Emery\n        Crulat.1SO, Compliance Director at (202) 357-6113 or Michael Wetldow, OCFO,\n        Director Intemal Control Program Management Office et (202) 447-5196.\n\n\n\n\n                                                 132\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0c                        Department of Homeland Security                Appendix E\n                   Information Technology Management Letter\n                             September 30, 2009\n\n\n               Report Distribution\n\n               Department of Homeland Security\n\n               Secretary\n               Deputy Secretary\n               General Counsel\n               Chief of Staff\n               Deputy Chief of Staff\n               Executive Secretariat\n               Under Secretary, Management\n               Chief Information Officer\n               Chief Financial Officer\n               Chief Information Security Officer\n               Assistant Secretary, Policy\n               DHS GAO OIG Audit Liaison\n               Chief Information Officer, Audit Liaison\n\n               Office of Management and Budget\n\n               Chief, Homeland Security Branch\n               DHS OIG Budget Examiner\n\n               Congress\n\n               Congressional Oversight and Appropriations Committees as\n               Appropriate\n\n\n\n\n                                     133 \n\nInformation Technology Management Letter for the FY 2009 DHS Integrated Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'